National Cybersecurity Awareness Month

By John G. Buchanan and Marialuisa S. Gallozzi

Although the National Cybersecurity Awareness Month of October has come to a close, it is not too late for corporate counsel and risk managers to be thinking about cyber-risk insurance — an increasingly essential tool in the enterprise risk management toolkit. But a prospective policyholder purchasing cyber insurance for the first time may be hard put to understand what coverage the insurer is selling and whether that coverage is a proper fit for its own risk profile. With little standardization among cyber policies’ wordings, confusing labels for their covered perils, and little interpretive guidance from case law to date, a cyber insurance buyer trying to evaluate a new proposed policy may hardly know where to focus first.

After pursuing coverage for historically major cyber breaches and analyzing scores of cyber insurance forms over the past 15 years, we suggest the following issues as a starting point for any cyber policy review:
Continue Reading Top Tips and Traps for Cyber Insurance Buyers

Yan Luo advises clients on a broad array of regulatory matters in connection with cybersecurity and data protection rules in China. With previous work experience in Washington, DC and Brussels before relocating to Beijing, Yan has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Over the past two years, Yan has provided practical advice to clients on nearly all aspects of China’s Cybersecurity Law. She continues to help them navigate the complex and quickly evolving regulatory regime, including on issues arising out of personal information protection, cross border data transfers, and various cybersecurity requirements.

What provisions of China’s Cybersecurity Law have caused the greatest concern for U.S. companies? What advice do you have for these companies when it comes to compliance?
Continue Reading National Cybersecurity Awareness Month Q&A with Yan Luo

Ashden Fein’s Cybersecurity practice focuses on counseling clients who are preparing for and responding to cyber-based attacks on their networks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Ashden has specifically been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Before joining the firm, Ashden served for thirteen years in the United States Army, first as a military intelligence officer and later as a Major in the Judge Advocate General’s Corps. While on active duty, he specialized as a military prosecutor, gaining significant experience investigating and prosecuting crimes related to national security and cybersecurity. In addition, Ashden served as the Chief of the Criminal Division for a command of 17,000 soldiers and as a legal advisor for an Army Aviation organization deployed in Iraq. He currently serves as a Judge Advocate in the U.S. Army Reserve.

While in the Army, you specialized as a military prosecutor where you gained significant experience in cybersecurity. For example, you were the lead trial attorney in the prosecution of Private Chelsea Manning for the unlawful disclosure of classified information to WikiLeaks. How did your time in the Army help inform your work on cybersecurity matters in private practice?
Continue Reading National Cybersecurity Awareness Month Q&A with Ashden Fein

Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the representation of clients in non-contentious and contentious matters before data protection authorities.

Kristof assists many international companies in their preparation for the EU General Data Protection Regulation (“GDPR”). This includes strategic advice on governance and data management, as well as hands-on assistance with writing policies, procedures, and agreements.

What are some of the major cybersecurity components of the GDPR and the NIS Directive? What tips can you provide to U.S. companies when preparing for these changes?
Continue Reading National Cybersecurity Awareness Month Q&A with Kristof Van Quathem

Steve Surdu is a Senior Cybersecurity Advisor at Covington and a member of the firm’s Cybersecurity Incident Response Team. Prior to joining the firm, Steve served as Vice President of Professional Services at Mandiant, a leading cybersecurity firm.

Steve has more than 35 years of experience both as a consultant and as a senior executive at information security companies. His security experience involves evaluating and developing policies, architecting hosted environments, assessing network and application vulnerabilities, and conducting incident response investigations. He has a deep working knowledge of multiple sectors including internet service providers, telecommunications, high technology, financial services, healthcare, manufacturing, retail, and state and federal government.

It’s clear that cybersecurity has become a real business issue. How do you see cybersecurity being managed as a business risk at the executive level?Continue Reading National Cybersecurity Awareness Month Q&A with Steve Surdu

Today, one of the most critical risks a company can face is the cyber risks associated with its own employees or contractors.  Companies are confronting an increasingly complex series of cybersecurity challenges with employees in the workplace, including employees failing to comply with established cybersecurity policies, accidentally downloading an attachment containing malware or providing their credentials in response to a phishing scam, or intentionally stealing company information for the benefit of themselves or the company’s competitors by simply copying information to their email or a thumb drive and leaving the company.  Contractors or consultants with access to company systems can pose these same challenges. To guard against these risks, companies can implement various policies and procedures to address an employee’s tenure, from pre-hiring to post-employment, and can implement many of these same precautions with respect to contractors, consultants, or any other third parties with access to company systems.
Continue Reading Cyber Risks in the Workplace: Managing Insider Threats

In the immediate aftermath of discovering a cybersecurity incident, companies often face many questions and few answers amidst a frenzy of activity.  What happened?  What should we do now?  What legal risks does the company face, and how should it protect against them?  In this fast-paced environment, it can be difficult to coordinate the activity across an incident response.  Well-intentioned actions by incident responders can easily expose the company to liability, regulator scrutiny, or a waiver of applicable legal privileges.

Instead of waiting to make critical incident response decisions in the “fog of war” that often occurs during the fast-paced events following the detection of a cybersecurity incident, organizations should think about how to respond before a cybersecurity incident actually occurs.  Responding to a cyberattack can involve a wide variety of different stakeholders such as IT and information security personnel, forensic analysts and investigators, legal counsel, communications advisors, and others.  Advance planning, including the development and execution of an incident response plan, allows a company to coordinate activities across a diverse array of different incident response work streams, and test that coordination.  Below, this post describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.
Continue Reading Preparation and Practice: Keys to Responding to a Cyber Security Incident

As long as there have been computers, there have been individuals who have been willing and able to compromise them.  It was true yesterday, it is true today and it will be true tomorrow.  In fact, the fundamental issues that lead to compromises, large and small, have been very consistent over the years.  They fall into the following five categories:

Awareness

If you are going to successfully take on an opponent you’ll have more success if you know a lot about them – who they are, what motivates them, what tactics they use and what they are capable of.  If you don’t understand those things and you don’t have a strong sense for how best to use your advantages against them, you probably are going to have hard time defeating them.

Further, if you need to collaborate with other parties to be successful, they need to understand these same things.  So employees, senior management, suppliers and clients need to have the same level of awareness or they become a weak link in your defense.
Continue Reading Five Factors Leading to Compromise

As Covington kicks off Cybersecurity Awareness Month with a series of weekly articles, preventative tips, and Q&As developed by our cybersecurity practice professionals, it’s worth recollecting how much our cybersecurity landscape has changed over the last twenty-plus years, and how the law has responded to these evolving challenges.

Although the late 1990s saw the first denial-of-service-attacks, and the “I Love You” worm and the Melissa virus damaged computers across the internet, cybercrimes were largely committed by small groups of young “hackers” more interested in learning how to use computers and navigate the internet, than causing serious economic damage. Of course, the government and the military were already grappling with more serious intrusions, but the potential benefits to society of global connectivity outweighed any potential long-term threats.

Over time, however, cybercrime became a source of revenue, and soon well-funded, international criminal conspiracies, supported by a robust online black market, were committing digital bank robbery, credit card fraud, and identity theft.  Commercial entities increasingly were victimized by indirect means of monetizing information too, including through economic espionage, extortion, and insider trading.
Continue Reading Kicking Off Cybersecurity Awareness Month