Efforts to prevent cyberbreaches are top of mind for many companies as would-be attackers become more sophisticated.
In one recent attack aimed at in-house counsel, compliance managers and other company personnel, for instance, scammers posed as officials from the U.S. Securities and Exchange Commission in order to get inside information about companies.
It’s next to impossible to prevent every cyberattack, in-house lawyers say, but as scammers become smarter in their attempts to obtain valuable company information, in-house attorneys are taking on bigger roles to protect the company.
Security company FireEye Inc. discovered the SEC-branded email attacks in late February, when it intercepted emails targeted at 11 U.S.-based organizations in the financial services, transportation, retail, education, IT services and electronics sectors. The emails appeared to come from the SEC’s filing service, EDGAR, according to a blog post from FireEye, and the intended recipients all seemed to be involved in completing SEC filings for their companies.
This type of attack, called spear phishing, targets specific individuals or companies seeking unauthorized access to confidential information.
Cyber attackers are getting better every day at finding ways to access the information they want, said Alexa King, executive vice president, general counsel and secretary at FireEye. “Generally, these campaigns are becoming more sophisticated and customized, so it’s becoming more common to see [spear phishing] campaigns that are harder to identify as campaigns,” she said. “And it’s not uncommon for [attackers] to be masquerading as government agencies.”
With these attackers becoming more effective, the in-house counsel’s role is changing, especially when it comes to the general counsel, King said. “Boards are asking more and more about their own fiduciary duties around cybersecurity, so general counsel should be armed with the answers,” she said. “Because [general counsel] don’t want to be the weak link in the security chain that lets the bad guys in.”
Added responsibility can mean more risk for in-house counsel, said Ron Sarian, vice president and general counsel at eHarmony Inc. “In this day and age, in-house counsel have to have intimate knowledge of all of the cybersecurity safety efforts the company has in place,” he said, adding that “ultimately, if there’s a breach, it’ll all stop at the desk of the general counsel” with respect to reporting and informing the board.
“If you have more responsibility, there’s likely more at stake if something goes wrong,” Sarian noted.
So how can in-house counsel protect the company? In Sarian’s experience, something as simple as following the latest developments in cyberattacks can be very beneficial.
Around a year ago, he recalled, he read about an attack on Snapchat in which a scammer asked those in the tech company’s payroll department for personal employee information by impersonating the chief executive officer. After learning about this successful attack, Sarian said he told colleagues at eHarmony to be wary of something similar.
Sure enough, eHarmony got an identical phishing attack asking the accounting department to provide W-2s for salary review, according to Sarian. Fortunately, they knew not to respond. “I’m a voracious reader and I read everything related to tech that I can because reading what’s going on in the real world can really tip you off,” the GC noted.
It’s also critical that all of those who are managing or have access to a company’s data are properly trained, said David Coher, a principal of energy supply compliance at Southern California Edison Co. and an advisory board member of the Cybersecurity Law Institute at Georgetown University Law Center.
“You want to have an education system in place for your staff because they are going to be your most vulnerable element,” Coher said. What’s more, he added, companies must make sure vendors and outside law firms are knowledgeable about cybersecurity because they may be targeted.
The most important thing to do for general counsel, according to King, is to have strong partnerships and communications with other stakeholders in the company in advance of a breach. There also has to be a crisis plan, she said, in order to know what the response will be and to ensure that breach investigations remain privileged through the general counsel’s office.
“If your company is breached, litigation is highly likely to follow and it’s absolutely going to fall into the general counsel’s office to handle that,” King said. “If you’re going to defend against these claims, I think you’re best set up if you’ve been involved in the issues from the outset.”
And the legal chief needs to educate the board to make sure they are having the right conversations, King said. “This is one of the things that shows that the board was taking steps to fulfill its fiduciary duties,” she said. “If a board ignores the issue or doesn’t talk about it, this will not bode well as part of the defense.”