Data breaches dominated the headlines this fall, as credit agency Equifax and the Securities and Exchange Commission both suffered serious cyberattacks. In light of the hacks, the corporate world is grappling with how to protect itself.
Toppan Vintage, a trusted financial printing and communications company, in partnership with Mergermarket, is pleased to present the newest edition of M&A Pulse newsletter. This newsletter features responses from US-based senior corporate executives who shared their insights on the new age of cybersecurity.
Toppan Vintage question: Given the frequency of data breaches, do you think they are becoming an inevitable part of the modern business environment? Should investors and the public be concerned every time one occurs? Leading experts weigh in...
According to David Hickton, Founding Director, University of Pittsburgh Institute for Cyber Law, Policy, and Security, panic about data breaches is useless. But I would say there comes a point at which we have to resolve whether we have the will and the way to defend our data. If we're just going to accept that breaches are inevitable, then we're going to surrender our privacy, at least with regard to internet communications, and we're going to rely upon things being anonymous simply by virtue of the volume of the data. I don't recommend this.
I believe we’ve dealt with this before in human history. We've had these transitions, such as when we went from the telegraph to the telephone. But we have to be realistic about what the risk is; we have to be sober and purposeful about how we're going to deal with it; and we have to spend the money to take the steps necessary to address it.
We also need to come to a consensus about what we’re going to require with regard to cybersecurity breaches. Are we going to require voluntary or compulsory reporting? What are we going do about information sharing? And most importantly, in the world of enforcement, are we going to update our tools, particularly mutual legal assistance treaties and extradition? Because this is a borderless threat, and we need to treat it as such.
Devika Kornbacher, Partner, Vinson & Elkins weighs in - This is a tough question. I would say the concern should not be overly focused on a particular breach but should be about what a company did or did not do in the preparedness area and how they're responding to the breach. If I'm an investor, I'm much more concerned about those issues and that's what I want to uncover before I invest.
When I counsel companies in connection with due diligence for investments in tech companies, some of the points we spend a lot of time on are: What is the state of their information security program and systems? Do they have a business
continuity plan with off-site backups? Have they been running tabletop exercises to practice their incident response plan? When was the last time they had a penetration test or an assessment done? And what were the results of that test?
A lot of times, cybersecurity risk assessments will uncover weaknesses. But if I see that the company has taken efforts to plug the holes, and is proactively trying to prevent breaches and has the plan to respond to them, then I'm much less concerned. I’m more concerned if I ask a company about their cybersecurity program, and they give me a piece of paper, but they don't have anybody responsible for implementing or overseeing the program. And if I ask when the last time it was that they looked at the program document, or practiced anything in it, or trained anybody on it, they can’t say for sure.
According to Ted Augustinos, Partner, Locke Lord, cyber threats are here to stay, and compromises of data and systems have been an inevitable part of the modern business environment for some time. This is, as the SEC pointed out some time ago, a risk factor for most companies. The level of concern by investors and the public ought to be commensurate with the risk, and the SEC’s disclosure guidance on this point was appropriate. It’s not one-size-fits-all, and different companies and industries are more or less exposed than others. Prudent investors and members of the public should be considering their own cybersecurity profiles, and the profiles of the companies in which they invest or with which they engage.
Given the increase in the number and severity of reported attacks and breaches, there is a risk of desensitization, particularly among the general public. It’s hard to stay vigilant but not overreact. In connection with some recent, high-profile breaches, we’ve started to hear, “Well, I’m sure my information is out there anyway.” This presents a very real danger, given that we need constant vigilance at all levels of our economy and society, from individuals to companies to the
According to Michael Coden, Head of Cyber Security Practice, BCG Platinion (The Boston Consulting Group), there’s an equation that is useful in understanding cybersecurity risk.
The equation is: risk (R) equals threats (T) multiplied by your vulnerabilities (V) multiplied by the consequences (C). That is: R = T x V x C.
Now, the threats (T) are out there and there's nothing you can really do to eliminate them. They're coming from all over the place – nation states, political activists or “hactivists,” criminals, and anybody else. Previously, cybersecurity engineers thought, "Well, I can solve this problem. I can reduce my vulnerability (V) to zero." Going back to that equation, if you can make threats (T), vulnerabilities (V) or consequences (C) equal to zero, your risk (R) would go to zero. But now, companies are realizing that you can't drive those vulnerabilities to zero. It would require an infinite amount of money and time.
So, if you realize that you can’t reduce your vulnerabilities to zero, you have to begin focusing on the consequences. What can you do to minimize them? And what is the best way to allocate dollars to reduce your vulnerabilities to a reasonable amount? For example, if someone gets into one factory, or one part of your banking system, or one part of your enterprise resource planning (ERP) system, you want to prevent them from being able to traverse across and through your networks.
According to Jill Abitbol, Senior Editor, Cybersecurity Law Report, it is essentially an idiom in the industry at this point that it is not “if” but “when” a company will be a victim of a cyber event. Thus, we can’t emphasize the importance of incident preparedness enough. This includes having an effective incident response plan and testing that plan.
Equifax’s response to this incident may have been different had it tested its plan. It seems that if Equifax had correctly war-gamed a massive breach like this, these issues would likely have bubbled up.
An incident response plan with different scenarios should be tested regularly. Some of the experts with whom we spoke have suggested it should be tested at least once a year. All experts agree that a plan should not be tested for the first time in the midst of an incident, because mistakes can be made under pressure. If a company has walked through a plan in advance of a high-pressure situation, executing the plan will go much more smoothly.
It’s difficult to anticipate everything that can happen, because every breach is different. However, running incident scenarios against your actual inside response procedures is often enough.