Fri, Jun 21, 2019
Cyber risk assessments come in dozens of flavors. They can involve enterprise or product level analyses; focus on people, processes, or technology (or all three); be limited to certain systems or all of them; and relate to the company or its service providers (or both). But what all risk assessments have in common is that they identify lots of “opportunities” for improvement. For that reason, both regulators and private plaintiffs demand them in discovery. The absence of a risk assessment can be a red flag, and the presence of unaddressed recommendations arising out of risk assessments can form the basis for alleged liability in a data breach or even a security-vulnerability case.1
For legal counsel, risk assessments are relevant and useful in a number of respects. For example, risk assessments can play a key role in helping to evaluate the vendor management program, as well as helping to assess the vendors’ own security programs. They can also be leveraged to evaluate cyber or privacy issues related to an acquisition target, or leveraged by a target company to ready itself for acquisition or other major transaction (or even a cyber insurance underwriting). Risk assessments can also be used to benchmark a company’s overall security program or elements of its incident response against regulatory requirements, industry standards/best practices, or customer requirements. In some cases, an enforcement agency may request a risk assessment in the aftermath of a breach or as part of a settlement. Having a recent assessment already done in the ordinary course of operation can go a long way in demonstrating diligence and mitigating regulatory scrutiny.
As with any audit or assessment, the challenge for companies is prioritizing and executing on the remediation plan. While some companies have robust processes for identifying corrective actions, road maps, milestones, and funding requirements, many companies struggle—and thereby, unintentionally create an unfavorable paper trail and precedent.
This last point was driven home in the Financial Industry Regulatory Authority’s (FINRA) investigation and consent order against Sterne Agee in 2015.2 Sterne Agee is a registered broker-dealer based in Alabama. The company found itself embroiled in one of FINRA’s very few cyber enforcement actions, largely due to the following fact pattern:
The Sterne Agee case is an extreme example of a simple proposition familiar to every lawyer: Repeated identification of the same risk can expose the company to potential liability. This proposition has made its way into regulator actions and class action complaints. For example, the FTC has explained that in cyber investigations, the agency requests and reviews “materials like audits or risk assessments that the company or its service providers have performed.”3 On the class action side, plaintiffs in the Equifax breach litigation alleged that the company failed to remediate known security deficiencies and repeatedly ignored warnings from third-party consultants. One senator summarized her findings on this point following congressional hearings and investigative activities:
While it is certainly easy for outsiders to critique in hindsight, the tone and tenor of the allegations clearly set forth a road map for identifying key exposure points. We offer three thoughts on how lawyers might leverage cyber assessments to help proactively manage enterprise risk:
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 The FTC has exercised its prosecutorial discretion to investigate and bring actions against companies for security vulnerabilities even in the absence of any data breach. See, e.g., Complaint, FTC v. D-Link Corp., No. 3:17-cv-00039 (N.D. Cal. Jan. 5, 2017).
2 FINRA Letter of Acceptance, Waiver and Consent, Sterne, Agee & Leach, Inc. (Respondent), No. 2014041619501 (May 22, 2015).
3 See Eichorn, supra note 27.
4 Sen. Elizabeth Warren, Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information 1 (Feb. 2018), www.warren.senate.gov/files/ documents/2018_2_7_%20Equifax_Report.pdf
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.