Lenoy Barkai, Director, and Joseph Tarraf, Associate Director, in Cyber Security at S-RM, explain the critical role that general counsel play during a cyber incident, and what can be done before and after an incident to ensure an organisation’s resilience and readiness.
Cyber security: Top of mind
Cyber security continues to climb up the list of key priorities for risk managers and legal departments everywhere. A recent survey of chief legal officers saw respondents rank cyber security as the most important issue facing their business, with over 90% forecasting that data privacy issues will 'continue to accelerate' in the near future, according to a 2021 report by the Association of Corporate Counsel.
This means general counsel need to be clear about their role in a cyber incident; how much should they know about cyber security and the digital threat environment, and how should they handle a data breach?
The spill-over from a cyber incident could include significant financial and reputational harm arising from a run-in with regulators, or in some cases, general counsel could be held personally liable in the event of cyber breaches being mishandled. This means general counsel should be prepared to participate in a major cyber incident response.
A Key Player, but Part of a Team
Extensive news coverage of regulatory fines, high profile litigation, and breaches of highly sensitive information may suggest that much of a cyber incident response rests on the shoulders of the general counsel. While the legal department and by extension, the general counsel, certainly has a key role to play in a response, their advice and decisions can only be as good as the overarching crisis management function of an organisation.
Crisis management is always a team effort. The general counsel will rely on information flows from a variety of sources: in-house technical teams, external forensic investigators, PR and communications functions, external counsel/breach coaches, insurance representatives, and the board and C-suite executives. This information will in turn inform any advice they may give during the course of a response.
The general counsel’s role is not to be a cyber incident response expert. Rather, it is to understand the legal implications for their company arising from the incident and advise the board accordingly.
General Counsel in a Cyber Response: Key Considerations
The guide below sets out the steps you can take to secure a positive outcome in the wake of a cyber incident.
Convening a Response Panel
Most organisations experiencing a cyber incident will call on a panel of experts to support their response. Panellists may include breach coaches or external law firms, incident response specialists, PR advisory firms, and insurers.
The general counsel should be closely involved in panel selection ahead of an incident. This might mean vetting vendors if panel selection is handled internally by the firm. Alternatively, it might mean working with the company’s insurer to provide input on vendor selection when a panel is provided under the company’s cyber insurance policy. Corporate boards will often rely on their general counsel to ensure that external partners are the right fit for the firm. Cyber incident response is no different.
Setting Expectations
Once an incident has taken place and the panel is deployed, the general counsel can help set the tone for the overall response. This might be the first time that many internal stakeholders have experienced a cyber incident. A lack of familiarity with cyber incident response can lead to unrealistic expectations of a speedy resolution.
Senior leadership teams might feel pressure to resolve the crisis as quickly as possible. However, experience shows that even small cyber incidents can take weeks or months to resolve. A rigorous investigation will enable the organisation to manage the legal risks involved, and they should not rush this process. The general counsel and the board will need to have established a high level of trust for the response process to run smoothly and instil confidence among stakeholders. They can emphasise the importance of a thorough investigation that is carried out in lockstep with containment and eradication efforts, and can also set expectations concerning the response timeline.
Responding under Privilege
Engaging external counsel as part of a response panel presents an opportunity for all communications and work produced in relation to the response to be conducted under privilege. This affords the response an extra layer of legal confidentiality.
Engaging a Threat Actor and the Pay/No Pay Decision
With the rapid rise in ransomware attacks, the likelihood of a cyber incident culminating in a ransom request has increased significantly in recent years. Organisations may ultimately need to pay a ransom to recover data and restore critical operational services. The general counsel has a key role to play in the pay/no pay decision. It is also their role to educate the ultimate decision makers about the organisation’s legal exposure arising from their decision.
To give an informed opinion on the decision, the general counsel should solicit data from their chosen forensic investigators. Understanding what data was exposed, based on forensic evidence and a threat actor’s profile, is critical for a general counsel to consider in order to reach an informed decision. Threat actor profiles – usually drawn up by the responder, but sometimes by a third party – can include information on threat actor motivations, statistics around threat actor default rates once payments are made, and the reliability of decryption tools provided by them.
Before any engagement with the threat actor takes place, the organisation should be confident that they will not be breaking the law. The general counsel has a key role in ensuring that applicable laws governing the transfer of funds to a third party have been reviewed, and that appropriate due diligence checks against lists of sanctioned entities are performed. These may include:
United Kingdom
Office of Financial Sanctions Implementation (OFSI); The Cyber (Sanctions) (EU Exit) Regulations 2020; Terrorism Act 2000; Counter-Terrorism and Security Act (CTSA)
European Union
The General Data Protection Regulation 2016/679 (GDPR)
United States
Office of Foreign Assets Control (OFAC); Foreign Corrupt Practices Act 1977 (FCPA)
Asia
Singapore’s Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act; and Terrorism (Suppression of Financing) Act
Ultimately, the decision of whether to pay a ransom – assuming it is legally acceptable to do so – sits with the organisation’s business leadership. Clear communication between the general counsel and leadership is key to ensuring any threat actor engagement does not leave the company in a legally questionable position.
Know who you are dealing with
To determine whether a cyber threat group is subject to sanctions, start by collecting the name or affiliation of the group as well as the details of their Bitcoin wallet. These data points are often provided as part of a ransom note or subsequent communication. If it is not immediately clear who the group in question is, there may be clues that speak to a likely culprit.
Cyber forensics specialists may be able to deduce the threat actor’s identity from an analysis of their tactics, techniques and procedures.
You can then search for the group across a range of reputable sanctions watchlists and other databases. A non-exhaustive list of resources includes:
- OFSI Sanctions List
- OFAC Sanctions List
- EU Financial Sanctions List
- Compliance and sanctions databases – World Compliance or World Check
- Media searches to find terrorist financing links
- Blockchain analysis tool Chainanalysis Reactor
Disclosure
Perhaps the most obvious role a general counsel plays is deciding how and when to communicate a breach to the public, to law enforcement, and to regulatory bodies if required. During the response, the general counsel, armed with forensic evidence and advice from a breach coach or external counsel, will need to assess the extent to which customer or employee data was exfiltrated.
If public disclosure becomes necessary, no public statement should be made without the general counsel’s approval, and they in turn should secure final sign-off on all public-facing communications. Again, general counsel will have to work closely with the board and corporate leadership in advising and crafting the company’s public and regulatory notifications.
Discussions around disclosure with senior stakeholders and preparing communications ahead of time can be crucial, especially given the time-bound notification requirements of many international regulations.
Building Relationships Early
The points above demonstrate that a general counsel will become intimately involved in some of the key activities and decisions that form part of an incident response. However, much of the preparation can be done beforehand – and this preparation goes beyond drafting statements, conducting roundtable exercises, and vetting a panel.
Above all, the general counsel will need to have strong, trusted relationships at all levels of the business in order to effectively navigate a cyber attack when one eventually occurs. All stakeholders should know in advance what information the general counsel would need from them in order to make decisions and give sound advice.
Preparation and trust will also ensure that when the general counsel gives their advice, it is considered with confidence by key decision makers at the highest level of their organisation.
