Recommended Reading and Listening
updated June 18, 2016
26. National Association Of Corporate Directors Cyber Risk Oversight Handbook.
The NACD published this handbook to provide directors with guidance on cyber risk. The handbook poses 5 principles for directors to consider and questions for board members to ask.
Note: the web site requires you to sign up, but the sign up is free.
25. NSA TAO Chief On Disrupting Nation State Hackers
TAO or Tailored Access Operations is the NSA’s team of ‘hacker’s hackers’. If normal information acquisition techniques don’t work, the NSA relies on TAO. The NSA allowed the chief of TAO to speak at Enigma about things that you can do to disrupt even Nation State hackers. While you are unlikely to implement all of his recommendations, it does give you a unique insight into the professional hacker’s mindset. The video, on Youtube, is 35 minutes long.
24. Cybersecurity 101 – A Resource Guide For Bank Executives
The conference of State Bank Supervisors published this guide, based on the NIST Cyber Security Framework. It provides an outline of the NIST recommended process. It is a good introduction to the NIST Framework for executives.
23. Cyber Security for the Insecure RIA
If you are a registered investment advisor or another entity regulated by the SEC or state regulators, cyber security is on their radar screen. The SEC, at least, is disappointed in how RIAs are dealing with the situation and at least one commissioner spoke up about it this summer.
22. Cybersecurity and Corporate Liability: The Board’s View
The NYSE, working with Veracode, surveyed almost 300 board directors and executives of publicly traded companies to get their take on cyber liability. 90% say their company should be responsible for a breach, but they also say that their third party software vendors should be also.
21. Cyber Risks 2015 – A Board Primer
Cyber-risk is a witch’s brew of reputational, operational, legal and financial dangers. As SEC Commissioner Luis A. Aguilar said last year, “Put simply, boards that lack an adequate understanding of cyber-risks are unlikely to be able to effectively oversee cyber-risk management.” To take it to the logical next step, if a board fails to properly oversee cyber-risk, then it not only puts the organization at risk, but also potentially makes itself liable.
20. NYSE Releases “Definitive Guide” For Directors and Officers of Public Companies
The New York Stock Exchange, in collaboration with about 40 authors, released a 350 page ebook collection of essays on cybersecurity for directors and officers of publicly traded companies. Since they are individual essays, they can be read separately as a reference source. It is available at no charge.
19. FINRA Report On Cyber Security Practices – February 2015
FINRA, The Financial Industry Regulatory Authority, created a report on recommended cyber security practices, with a few case studies, for entities that they regulate. While important for them, it is also quite useful for anyone concerned about cyber security in their business.
18. PBS-Nova program “The Cyber_War Threat”
The long running PBS series Nova recently ran a program explaining the possibility of cyber warfare. The show discusses, among other examples, the DHS Aurora program that demonstrated how easy it would be to literally set an electrical generator on fire.
17. Navigating The Digital Age – The Definitive Guide for Directors and Officers
The New York Stock Exchange, in partnership with Palo Alto Networks and about 40 authors has published a free eBook on cyber risk management. The book, 300+ pages, provides a number of author’s opinions on cyber risk related topics. And, it’s free and downloadable.
16. Behind The Scenes Look At The Hacker Group Behind RawPOS Malware
FIN5, the group behind RawPOS which has compromised many hotels, has an interesting model, described in this article.
15. Data Privacy and cybersecurity Due Diligence In M&A Deals
This presentation from a Strafford webinar addresses a number areas of cyber risk including legal, tech and insurance.
14. Data breach lawsuit filed against Home Depot directors and officers
A data breach related shareholder’s derivative lawsuit was filed in September 2015 naming Home Depot and 12 directors and officers and accusing them of “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable meausres to protect its customers’ personal and financial information”. Even though historically these lawsuits have been hard to win, at some point one will succeed and even if they do not, defending against these lawsuits is expensive, time consuming and distracting.
13. SEC Risk Alert – Cybersecurity Examination Initiative
In February 2015, The SEC put out a risk alert explaining the results of sweep examination of registered broker-dealers and investment advisors. This is part of the basis of another alert, released in September 2015, in which the SEC announced a new examination initiative and explaining exactly what areas they would be examining. This is useful guidance on where to focus your own cybersecurity initiatives, whether you are regulated by the SEC or not.
LINK to SEC Sweep exam results: https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
LINK to SEC Cybersecurity exam initiative: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
12. Sample incident response plan template
The office of the CIO of the state of California has published a Microsoft Word template that is a good starting point for creating an incident response plan. I strongly recommend that organizations do not attempt to boil the ocean at one time – create a simple plan that covers the major points and enhance it over time.
11. Sample policies and procedures
The SANS Institute, a well respected information security training and breach mitigation organization offers over 25 sample information security policy templates on their web site for free – no strings attached.
10. Recent governmental guidance on data security: What in-house counsel needs to know
The SEC and DOJ have both released useful guidance this year. The SEC guidance was geared toward registered investment advisors and others in the finance sector, the recommendations are likely useful outside that industry. The DoJ documents address best practices for victim response and reporting of cyber incidents.
9. Bringing cybersecurity under a protective umbrella (of privilege)
This article from InsideCounsel.com talks about why the first call I.T. should make if they believe the company has been hacked may be to counsel – even before calling the CEO. The article follows the case of Genesco v. Visa and how judicious application of privilege allowed the company to avoid disclosing certain information that likely would have had an adverse effect on litigation.
8. Back To Security Basics
While you can spend an unlimited amount of money on cyber security, these 10 items are a great first step and will dramatically improve most organizations cyber risk posture – without spending a lot of money. Many companies already have the tools to do this – or free tools are often available – but they do need to prioritize and make sure that time is allocated to the technical staff to implement these recommendations.
7. Cybersecurity for Medical Devices: A Risk Mitigation Checklist for In-House Counsel.
This Reed Smith Client Alert provides guidance for in house counsel to mitigate risk related to cybersecurity of health care devices such as infusion pumps and blood gas analyzers, among many other computer controlled health care devices. The document provides links to relevant FDA documents, but more importantly, it contains a checklist of useful steps to prevent and respond to breaches. These steps are geared towards medical devices but most of the items are applicable to any company.
6. IT Due Diligence Guide
This is the checklist that comes with the book. The checklist is free, but not the book. This 15 page checklist covers a number of areas addressing development, operations, network security, cybersecurity, compliance and others.
5. The Cybersecurity Law Report
This is a subscription based newsletter on cyber security law that has some interesting articles. You can sign up for a free trial subscription on their web site.
For subscribers, some interesting articles include:
- Cybersecurity and information governance considerations in mergers and acquisitions – http://www.cslawreport.com/article/50
- Tackling cybersecurity and data privacy issues in mergers and acquisitions (part 1 of 2) – http://www.cslawreport.com/article/91
- The role of Counsel in Addressing Destructive Cyberattacks – http://www.cslawreport/article/69
4. Privacy and data security issues in M&A transactions
This article focuses on the legal and compliance issues of data security more than the direct technical security issues, but these issues are definitely important too.
3. M&A and Cyber – Eyes Wide Open
This article addresses, at a high level, the areas that you should be reviewing with a few sample questions.
2. M&A Deals at risk from weak cyber due diligence
Based on a survey of 214 dealmakers by international law firm Freshfields Bruckhaus Deringer, 90% of the respondents believe cyber breaches result in deal value reduction and 83% say they would abandon a deal mid transaction if cyber breaches are identified, but more than 75% say that cyber risk is not analyzed in depth during due diligence.
1. Grant Thornton Comprehensive M&A Due Diligence checklist for buyers
This 30 page document is very comprehensive. While mostly focused on traditional financial and legal due diligence questions, it does address some cyber risk issues.