Defeat cyber risks, use the Force

Cyber risks are a real and present danger. They are often hidden and misunderstood so I wrote this article just for you. I’m also a Star Wars fan and couldn’t resist the Force.

When I think of the words “cyber risks”, I don’t think of anything immediately tangible nor anything immediately threatening. What those words, (especially together) mean to me is far more ethereal and a lot more entertaining…

My thoughts digress to a Jedi fighting a Sith, Ewoks and Jabba the Hutt. I think of Darth Vader – the famous “I am your father” scene. All very “other wordly” and “galactic”. Something a true Star Wars fan can fully and truly appreciate. But this is not Star Wars and I am no Princess Leia.

“Luke, I am your father”

Just like the “Luke I am your father” scene inevitably shocked Luke into a new reality, growing Cyber Risks are doing the same for businesses across the Globe. And that is actually my point – Is Cyber Risk really in a “Legality” far, far away or is it closer to home than we think?

What do I mean? Well I will give you some examples.

In the Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined

“The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.”

And

“Cyber risks are increasingly frequent and severe, loss contagion is hard to contain, and risks are difficult to detect, evaluate, and price.”

On the Freshfields, Bruckhaus, Deringer website, a world-wide legal practice on their “Cyber crime can derail your company” page, they state the following:

“Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches.

Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”

There has even been a full article written on the Hedgeweek website entitled “Cyber security – a Global Persceptive” ,(the title alone has a sense of doom and seriousness about it). This article sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –

“the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.”

Cyber Risks – a clear and present danger

If it is not clear already, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked thereby revealing company trade secrets. Can anyone say “huge liability claim”?

boss-fight-free-stock-images-image-photos-photo-photography-pie-cafe-coffee-milk-cream
Source: Boss Fight

Speaking of huge liability claims, Insurers and Re-insurers are discovering that there is a growing and real need to insure Companies across all industries against these potentially devastating risks and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. According to PWC –

“Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”

But thats Insurance and therefore inevitably a safety net should things go awry but where Law is concerned, prevention is often better than the cure.

Understanding leads to prevention

In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s “Cyber risks – an insurance perspective” article  cyber risks can be understood quite simply:

“Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:

Hacktivism – where a company’s website is hacked into and used as a platform to promote views.

Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.

Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.

Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.”

A call to arms

black-and-white-sport-fight-boxer
Source: Pexels

What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers making their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task to be sure. However with everything, you can tackle this “one bite at a time”.

With that in mind, how do we fight Cyber Risks?

  1. Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
  2. Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
  3. Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
  4. Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
  5. Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.

Clearly, cyber-security is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date -if there is any significant attack, the legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.

“May the force be with you” indeed does come to mind.

Featured image credit: Paul Jacobson, licensed CC BY NC SA 2.0

4 suggestions for preserving your digital assets for your heirs after you die

What will happen to your online profiles and data when you die? Before you answer that your digital stuff isn’t all that important so who cares, consider what you are using the digital cloud for:

  1. Email that increasingly includes bank statements, insurance policy information and functions as a backup for when you forget your password for your online profiles;
  2. Document storage and backups for all those policy documents, scans of your ID and passport, accounting records and tax returns;
  3. Photos and videos of your family going back years, decades even (have you maintained your print photos and offline video files to the same extent?);
  4. Various social profiles which you use to keep in touch with friends and family on a daily basis.

The cloud is more than just an incidental part of your life. Unless you are a committed paper-based archivist, you probably have more and more of your life recorded in bits stored on servers around the world and you are likely the only person who can access that data. When the time comes for you to leave this life your family will need to access that data for various reasons and, short of a séance, you won’t be in a position to pass along your access credentials if you don’t plan ahead.

Here are 4 suggestions for how you can do to make sure your family can access your digital assets after you pass on:

  1. Use a password manager like LastPass or 1Password to store all your passwords and key information (I use LastPass and it enables me to store credit card information, ID and passport information and a variety of other sensitive data securely) and use a strong master password to secure your password manager profile (while you’re at it, change your passwords to unique and more secure passwords to protect your profiles better).
  2. Tell your family about your online profiles and how to access them in your will or in a document you leave with your will. If you use a password manager, share the master password with trusted family members or friends so they can unlock your digital assets when the time comes.
  3. Backup your data regularly and automatically. Don’t rely on manual backups. Automate them. Use whichever secure and reliable backup service you prefer (popular options include Dropbox, Google Drive and more) but make sure they include your important stuff and work properly. Storage is becoming cheaper all the time so you should have plenty of space for all your stuff.
  4. Organise your digital archives so they can be easily searched and key documents located by your heirs. One of the first things your family will need to do when you die is report your estate to the relevant authorities and they will need key information to do that. Check with your attorney what they will need and collate that information for them in a convenient folder or location and share that with your family ahead of time.
  5. Make sure you identify all your key online services to your family and explain to them how to access them and your data. Don’t assume that everyone knows the services you use and how to use them effectively. They may not share your passion for those services but you probably don’t want to add to their aggravation by forcing them to stumble around unfamiliar services while grieving for you.

Image credit: ‘Til Death Do Us Part by [n|ck], licensed CC BY 2.0