The cyber security roundtable: Victims and visions

As cyber security issues continue to dominate the headlines amid a fractious European backdrop, we assembled a group of senior GCs to ask how to handle the inevitable attacks.

Even the cynics that see cyber security as the latest in a long line of corporate fads generating its own compliance circus and attending cottage industry have to concede that such threats – and the increasingly entwined issue of privacy – are becoming a more pressing matter.

With the levels of cyber attacks against companies increasing dramatically in recent years, the challenge for general counsel (GCs) has become more fraught through 2015 as the expected cross-border consensus on policing data issues has unravelled, with European courts setting themselves against US policy-makers.

In the second part of an Insight report on cyber security with PwC, we assembled a group of GCs to discuss the problems in preventing attacks and reacting to the inevitable cyber breaches.

On the day of the debate, an opinion from the European courts suggested a major reversal in the long-term march towards a region-wide approach. Within two weeks, the European Court of Justice had confirmed the preliminary ruling, backing Austrian campaigner Max Schrems in a high-profile challenge against Facebook. The ruling effectively ended the ‘safe harbour’ scheme that allowed 4,000 US companies to transfer personal data back to the US and has huge implications for business and policy makers.

But as difficult as navigating the complex regulatory and legal environment in the area is, perhaps the greater hurdle for GCs is addressing the complex technical and logistical challenges in handling a security breach.

As PwC Legal’s Stewart Room puts it: ‘We can no longer claim to be victims. A year or two years ago, one of the stock plays that entities would make with cyber is: “We are the victim of crime.” What it turns to, in a practical sense, is: “Do we want to be remembered for being the entity that did the right thing?”’

***

Alex Novarese, Legal Business: How confident are you that you are on top of cyber security issues?

Nayeem Syed, Thomson Reuters: I know we are as an organisation doing a lot. What I do not know is how fully effective any organisation can be against highly sophisticated and highly determined attacks.

Alex Novarese: Why?

Nayeem Syed: We are trying to pre-empt things that are unknown. From my conversations with our CISO [chief information security officer] I know we have done a lot of work from a financial services and government perspective, because over 50% of our $12bn revenues are from those two sectors.

We also have many entities regulated by the SEC, FCA and others around the world because they operate in high-profile and sensitive financial market activities globally. Maintaining those registrations and those licences means that all of the vast government and financial services security requirements cascade down to us.

Alex Novarese: Are you unsure because it is an unknown quantity, or is it that gap between how the cyber specialists think and how the in-house counsel think?

Nayeem Syed: There is operational best practice. There are things that we can do to try to put systems in place, and we are trying to do that. What they are concerned about is that where there are unknown risks, which leave potential gaps, they cannot know all of those places. It is a very big organisation. All of us around this table know that it is impossible to really close all possibilities, preventing all human error or deliberate attacks.

Alex Novarese: Are there any particular factors that might make in-house counsel feel uncomfortable?

Vivienne King, The Crown Estate: You can spend everything you like on systems and the policies that you put in place, but if culturally it is not being taken seriously then it is not going to get you to where you need to be. I did not appreciate what a nightmare cyber terrorism could be until relatively recently.

As a consequence of that, I have explored it more and discovered how many attempts we have every day, and every hour within every day. There are just vast numbers. That was a real wake-up call.

Alex Novarese: Turning to recent developments, the Facebook decision from the Advocate General came out this week, did it not?

Stephen Deadman, Facebook: It came out today [23 September].

Stewart Room, PwC Legal: The biggest change is that we can no longer claim to be victims of an incident. A year or two years ago, one of the stock plays that entities would make with cyber is: ‘We are the victim of crime.’ That sense of victimhood developed the entire strategy for dealing with an incident.

When we go into the client side now, our stock initial conversation is: ‘What is your vision for the handling of this incident? If we look back in six months’ time, what is it that you want to be famous for? You need to be laying the pathway today to that outcome in six months’ time. If, really, you want to be famous for being a victim, then we will go out with victimhood.’

What it turns to, in a practical sense, is, ‘Do we want to be remembered for being the entity that did the right thing?’ That is what has changed over the past 12 months.

Alex Novarese: Are there any particular developments that you would also highlight this year?

Stewart Room: Obviously, the thing that happened today is worth a mention, because we can play in Stephen on this opinion of the Advocate General [in Maximillian Schrems v Data Protection Commissioner].

Alex Novarese: This is saying that national regulators do not have to be bound by Brussels’ direction?

Stewart Room: Yes. That is going to give us incredibly fragmented points of view to deal with. I am seeing more fragmentation in the legal environment around privacy and security, which is the exact opposite of where everyone thought they were heading only 12 months ago.

Stephen Deadman: Our experience in the last nine months is an exact demonstration of that. We have been attacked by regulators in Belgium and the Netherlands. There was a hearing on Monday [21 September], widely reported particularly in the Belgian media, challenging the entire direction of European Digital Single Market regulation in the last 25 years, by effectively pulling back jurisdiction from the home jurisdiction, which is Ireland, because we are established in Ireland.

We have complied with European law. We have complied with the Irish regulator, and yet we have other regulators now saying: ‘No, no. Me too. I want a piece of Facebook.’ The Max Schrems [case] is a classic example of unravelling the enterprise that we have been on in the last 25 years in Europe, to try to create a single market for data. Who knows where this is going to go? It belies an essential political tension at the heart of Europe. Does Europe want to be a European space for business to innovate and grow and expand, or does Europe really want to be 28 fiefdoms, where they have their own rules and regulators pursuing their own agendas?

Alex Novarese: The wider expectation is that there has been a big shift towards global common ground in regulation. American policy has driven this. Now that is being pulled apart, essentially, is what you are saying.

Stephen Deadman: European policy is being pulled apart. European policy is being pulled apart by Europeans.

Alex Novarese: I assume that people expected the EU policy to get closer to the American approach.

Stephen Deadman: It would be great for Europe to have a standard. Europe cannot agree itself. We have had a convention for the last 25 years that, more or less, equated to a little bit of commonality, certainly in terms of how regulators sought to pursue their roles as regulators. Since the right to be forgotten judgment last year, the Costeja decision, now opportunistic regulators have taken that as an opportunity to unpick that framework and start questioning it. That is really pulling back jurisdiction to the member states.

Alex Novarese: Are there any thoughts from around the table of which are the most problematic jurisdictions, or regulators?

Michelle Levin, Aon: Germany. We have a very strong works council in Germany. They are not afraid to take our US corporate headquarters to task. Any time we want to roll out a global new IT system, policy or anything, the German works council will be there as the thorn in the side.

Alex Novarese: Allowing for the fact that we are dealing with conflicting regulatory regimes, are there any particular or obvious steps or approaches that can make it more manageable or mitigate a company’s risk?

Stewart Room: A few years ago, you would feel you could be quite robust on your positions and, if necessary, persuade the regulators and the judges to go with you. That does not really work as a strategy, for the reasons we have just spoken about. It is a hearts and minds piece right now. We have to go back to battles we thought we had won a few years ago and re-win them.

Alex Novarese: Shall we explore the language gap between in-house counsel and technology teams? How easy is it working out what each side is saying?

Vivienne King: It is not.

Alex Novarese: You said the Crown Estate overhauled its processes earlier this year. Could you give us a bit more information on that?

Vivienne King: We have recently introduced some education, which has been effective. The risk is it may be counterproductive, because it has tried to be very simple. It is a programme that individuals within the business have to go through. Everyone has to do it. It is relatively short, at 30 minutes, for most people. It is considerably more complex for those who are deeply involved in high-risk areas, like HR or the [information security] team.

Alex Novarese: What sort of words are used?

Vivienne King: ‘Phishing’. What is that?

Alex Novarese: That is not too bad, is it?

Vivienne King: That is the one I can remember. ‘Bot’ was another one. I question whether or not you really need to speak in that language.

Dervish Tayyip, Microsoft: I am interested in what you feel technology providers are doing and could be doing. Traditionally it is thought that, as a provider, the area of focus when it comes to cyber security is the security of your product or your internet service. But there is a fair amount of innovative work going on over the last 18 months to two years, that I am not sure there is good awareness of.

Alex Novarese: Are you talking about suppliers providing the technology to in-house teams to improve security?

Dervish Tayyip: Yes, for example, at Microsoft we have invested heavily in something we call the Digital Crimes Unit. This is an activity in which we have over 100 people employed across the world in 60 jurisdictions. It is all about where we can play proactive digital defence against cyber criminals and add value to the cyber security situation. How are we able to use cyber forensics? How are we able to use big data to monitor closely what threats are out there, and the evolving landscape?

The innovation is that we are blending 21st and 15th century ways of investigation. We use big data and data analytics to connect the dots of cyber criminals behind attacks in ways that a few years ago we could only dream of. We also use traditional investigation techniques, following leads and being tenacious. We are bringing that together with innovative legal actions, taken in our own name in the civil courts, but handing over to the FBI, Europol or Interpol for criminal actions.

Alex Novarese: When you say ‘innovative legal actions’, what do you mean?

Dervish Tayyip: We are fighting malware. Criminals write, deploy and distribute malicious software that is then injected into computers. The main way that this is disseminated is through botnets [a network of infected machines] which the cyber criminal takes control of. These infected machines can then steal money from bank accounts, send spam, engage in ‘click-fraud’ and launch denial-of-service attacks. These legal actions disrupt the botnets. They are innovative in the sense that we are going to the courts and obtaining orders that sever the link between the cyber criminals at the top of the botnet and the devices used by companies. We have done this more than a dozen times now.

The judge has granted an order that re-directs these infected machines to Microsoft. This information is then shared with law enforcement and internet services providers and our customers. This is an example of how users can demand more of their technology providers.

Alex Novarese: Let’s get onto the breach response. What are the obvious steps?

Kris McConkey, PwC: In one major payment processor breach that we investigated, which resulted in a $31m fraud being executed, there were more than 500 compromised systems and more than 420 different types of log data. That totalled more than about 200 terabytes of data. When you are talking about big data analytics, that is a lot to piece together to work out the exact fact pattern of what happened, what systems were touched and what data actually left the organisation.

Paolo Berard, Centrica: We have two or three different streams, depending on the nature of the attack or the breach. First of the two important streams for this discussion would be a cyber or data incident response team, in which the first call is to a lawyer to figure out what we need to do. The second is that, if we think this is something much bigger than a simple breach, it triggers our crisis management protocol. Thankfully, to date we have never had to do that. If it does, it triggers a very different level of stakeholder and level of engagement, and gets escalated within the organisation quickly.

Alex Novarese: Christopher, how up do you feel that you are on these issues?

Christopher Morgan, Weir Group: We have experienced two particularly serious issues. One was quite an unsophisticated event in the US. The first phone call when we realised what had been done was to the legal team, which reassured me somewhat. The second phone call from the legal team was into the IT team, to get access into the employee’s IT system and commence a thorough forensic analysis of what had been stolen by the employee.

The second incident has been far more sophisticated, and that has involved an activation of our crisis management group. That was something where, having discovered the issue, we then realised the cyber theft had been going on for a period of five years and was far more sophisticated and serious than anyone had initially envisaged. It was triggered by the dismissal of a senior employee, which can sometimes bring these things to a head. All of a sudden, a number of people around that particular business exited at the same time. That prompted our suspicion and subsequent investigation. Ex-employees were holding onto laptops and so on, and generally making the investigation more difficult. The issue is ongoing so I probably cannot say any more on it but it is on a significantly larger scale than we have experienced before.

Alex Novarese: You found problems linked to one division, or team, essentially?

Christopher Morgan: Absolutely, and that will likely be subject to some sort of criminal investigation going forward.

Alex Novarese: Are there any lessons you learned, particularly from that incident, in terms of responding effectively as a lawyer?

Christopher Morgan: Certainly in the less sophisticated case, it comes back to the matter being that of a simple human act. There was clearly an intent from the individual involved, in that they simply decided that this was something they were going to do. They were going to download a whole series of confidential data. We never actually even understood the individual’s motive. Funnily enough, you were talking about labour law issues in a slightly different context. You then get into a battle and dispute with the individual as she starts to launch into a whole series of labour law complaints, including a disability claim against the company. It all becomes very distracting from the original cyber theft issue.

With the other issue, there have been lessons learned. Indeed we are still learning. What you know on day one is very different to what you know on day ten and so on. What is useful and productive is the investigation team is small – there are four of us – and we speak regularly.

Alex Novarese: That is a mixture of lawyers, technologists and executives.

Christopher Morgan: The team is constituted of a lawyer, an IP specialist, someone from finance and one IT specialist. For us, the investigation team ‘lesson learned’ is to keep the team in a tight-knit group and properly scope the investigation at the outset.

Michelle Levin: The distraction point is really important. That issue of what you know at day one being very different to what you know at day three and day ten I think brings into question the whole breach-reporting scenario, particularly for a company like Aon. We have a lot of clients. We have a whole raft of client contracts. Increasingly, the breach notification clauses in them are getting more onerous.

Then, we have the regulatory landscape. Often, when you are at the coalface, trying to deal with an incident, the last thing you want to do is also work out immediately what you are going to tell clients. What you are going to tell the regulator on day one, 24 hours after the breach, is very different from a later date.

Clare Wardle, Kingfisher: That is certainly why we keep Kingfisher’s communications team in from the beginning. A breach is supposed to come into me; then, however, risk, IT, fraud, audit and communications people are involved. It is important to have communications professionals working on the message while the incident is being properly investigated.

Alex Novarese: In white-collar situations, you are usually pretty quick to the regulator. Is it similar with cyber security?

Michelle Levin: We have not had to deal with this yet. We have had the low-level incidents, involving a handful of clients’ human error. We are yet to have a cyber attack. We certainly also have that tension between reporting to the FCA and to the Information Commissioner’s Office (ICO). There is that tension, because the regulators talk to each other.

Alex Novarese: Are there any other particular hallmarks of an effective response after a breach?

Kris McConkey: We just heard four examples of legal being the first call that somebody makes whenever an incident happens. That is music to my ears. That is a huge change from what we were hearing 18 months ago. The other point to make, of which we just heard three examples, is where there is a really clear delineation in the escalation process, depending on what the type of incident is. We dealt with a client that had 17 different classes of severity of incidents.

Alex Novarese: That is over the top, surely?

Kris McConkey: Yes. We ended up boiling it down to about four. If your severity classifications do not make a tangible difference for the type of resource that you are able to get access to, there is no point in having that level of complexity. Every single escalation should grant you access to a different type of scarce resource, in a methodical way.

Ned Staple, Zoopla: At Zoopla, we are a much smaller organisation than a lot of people who have been speaking previously. In our legal team of five, we have a much closer relationship with our development team and our software developers, and the people who are dealing with it on the front line. That is very valuable. We are very agile; we are quite light.

We do quite a lot to try to understand what the development team do and the nature of the architecture of our software and our systems. We have had a couple of incidents, and when they happen we are in a pretty good position to understand where the issue lies.

Alex Novarese: Could you give us a little bit more on that?

Ned Staple: You even have to understand what the data is and what the files are, and to see some data. I do not know how many people have actually looked at some of the data that is held in their systems, but it is quite a revealing exercise to understand what the data is. It is easy to talk about it in the abstract, but to understand what it is and how it is encrypted where it is held is very, very valuable.

Alex Novarese: Are there any other experiences along those lines?

Paul van Reesch, Coca-Cola Enterprises: We have gone through a couple of forensic exercises over the last 12 months. One of the things that has struck me is that I cannot believe how difficult it is to manage data, to move it, to deal with it and to manipulate it, and how expensive it is and how difficult it is to collect.

We are trying to think about, not only in respect of a cyber response but also regarding competition authorities, how we can better enable ourselves to be able to get a hold of this information, pull it apart, move it and analyse it more quickly. For us a key part of the response is the preparedness, and trying to set yourself up so that you can be more rapid in how you respond.

Ned Staple: The other thing I would say is that the increase [in cyber incidents] is very, very noticeable. We listed a year and three months ago. As a pre-listed company, we had had no instances, whether it was phishing or anything more pernicious. In fact, on the day of listing, there was literally a flood of activity.

Alex Novarese: Your experience is that it is a very steep curve once you get to a certain size?

Ned Staple: Yes, absolutely, and it is increasing. Take phishing – two years ago we did not have any. It is now a recurring theme, which is very, very difficult to deal with and, for a consumer-facing business, quite frustrating.

Chris Gaines, PwC: Coca-Cola – when you made an acquisition, there was a cyber incident. Coke is not a natural habitat for the hacker, but because there was some merger-and-acquisition activity, it hit the press. That attracts the hackers.

Vivienne King: Certainly, that is our experience. Deals attract some spikes.

Alex Novarese: Are there any other obvious risk factors that people would highlight?

Christopher Morgan: We had one last year. We are involved in fracking, principally across North America. Already, we have experienced some cyber-related attacks and threats to our IT systems, as a result of that business activity.

We also experienced quite an unusual one last year. Being a [Scotland]-based company, the business took a neutral stance regarding the Independence Referendum in 2014, although some of our senior management spoke out independently in support of the ‘Better Together’ campaign. There was a lot of strong negative online activity taking place at the time within Scotland often targeting those from different camps, and as a result of some of the personal positions adopted by some senior employees, we have witnessed demonstrations outside our Glasgow office, and various cyber-related activities as well.

Alex Novarese: I just want to quickly explore a few points on privilege. What is the most important element in using privilege effectively?

Stewart Room: It is important to distinguish between privilege and instant response expertise. That is absolutely critical. For a lawyer, after a number of exercises, you become expert as an incident responder. That is fundamentally different to providing a privilege wrapper.

It is really important to not fall into the trap of thinking that legal professional privilege is a substitute for sufficient expertise to run an incident. We have seen real howlers where non-expert responders are running things simply because they are in legal. There is the case that you are talking about, as well as the Visa case [Genesco v Visa USA].

Some state court maintained privilege in the incident response expert service. It is heartening. What we have not yet done in this country is we have not yet run out the privilege argument in litigation. It is a little bit like antibiotics. If we play privilege too often, then there is going to be resistance to it.

Where privilege works really, really well is in the instruction of the expert people so that they can do their expert incident response. Where privilege fails is: ‘We have an incident response report that the Information Commissioner wants to see.’ You can make privilege arguments about it, but get it over. Disclose it, and get on and fight the real case that you need to fight. That is my message around privilege.

Paul van Reesch: I have to say, from a non-cyber perspective of running incidents, I just do not worry about [privilege] any more. I have run more than 60 incidents. The main thing I need to do is to get that matter under control. If I worry about privilege, it is firstly impossible. I cannot control everything that needs to be done behind me or my lawyers in order to solve the problem, gather information, route calls and deal with customers. Second, you will just hamstring the ability to respond.

Alex Novarese: Are you saying that it is just not a consideration, or are you are assuming it will be privileged?

Paul van Reesch: What we do is we try to educate people as to what they should and should not put down on e-mail. Other than that, I do not deal with it, because I cannot.

Alex Novarese: Other thoughts?

Paolo Berard: Our approach would be very different. My reading of the Genesco case was that privilege was construed quite narrowly. So long as you are seeking the professionals’ advice to inform the legal advice, it is covered. Any other investigation I would not have thought would be captured by the definition of privilege.

Stewart Room: Precisely.

Paolo Berard: We spent a lot of time training our incident response team around privilege. I agree it is solid advice to say: ‘Look, if you have any questions, please do not put it in an e-mail. Pick up the phone.’ That being said, there are a number of situations where we would strive adamantly from day one to assert privilege over certain elements.

We want to ensure that when the lawyers are asking, we need some open and honest answers. I temper that with the view that we do not try to cloak everything in privilege. That is the first way that you lose it. Construe it very narrowly. Limit it to the legal aspects of your investigation.

Stewart Room: Yes. If you are dealing with trying to get primary facts and evidence, it is really, really important you handle witnesses in an appropriate way. If they feel uncloaked, guess what? They are going to distort, as a general piece. You have got to use it forensically, and judiciously, but not everywhere.

Alex Novarese: Any other final thoughts?

Chris Gaines: It is really heartening that the adults are getting involved in cyber security now, finally, as people in the organisation who have real influence. Ultimately, there is a lack of skills, generally, in our company and in all your companies. The one thing that we all need to do in our preparedness and discussions is work together and think about how we can just bring together a bigger pool of experts. At the moment, probably, the response is being handled in some of your organisations by willing amateurs.

Stephen Deadman: Stewart, you raised the point: ‘What do you want to be famous for?’ That is really, really interesting. All my experience of incident management is with my former employer, Vodafone. When I was in my previous role, thinking about incidents we managed where they were high profile, with a lot of media attention on issues that were happening, what did I want to be famous for? I wanted to be famous for fixing the problem in a way that got us really good coverage. You cannot stop shit happening. No one thanks you for solving a problem, but they do thank you for fixing it in a good way. It is a thing that, from my perspective, in my former role as a lawyer, was often neglected.

Ultimately, what people care about is how well you embraced the problem and fixed it for the people who were affected.

Alex Novarese: That seems a pretty good point to end. I hope you have enjoyed the discussion. LB

Further reading: Insight report on cyber security – Anatomy of a breach