Above Board Podcast: 2021 Cyber Events Shaping the Horizon

The alarming rise in cybersecurity attacks in 2021 has raised risk mitigation stakes to a new level for boards.

In this episode of MoFo’s Above Board podcast, host, co-chair of MoFo’s Corporate Finance | Capital Markets practice, and former Chief Counsel of the SEC’s Division of Corporation Finance Dave Lynn speaks with Alex Iftimie, co-chair of MoFo’s Global Risk and Crisis Management group, and Brandon Van Grack, who also co-chairs the group and serves as co-chair of the firm’s National Security practice. Both are former senior DOJ officials who bring their vast experience in cybersecurity to analyze the top cyber events that have defined 2021 thus far and provide practical guidance in response to the following key questions:

• What are the key cybersecurity threats that boards of directors should be focused on?
• What role should boards be playing in a cyber incident like a ransomware attack?
• What action do you expect to see from U.S. government with respect to cybersecurity?

Transcript

Speaker: Welcome to MoFo Perspectives, a podcast by Morrison & Foerster, where we share the perspectives of our clients, colleagues subject matter experts, and lawyers.

Dave Lynn: Hello, welcome to the Above Board Podcast. This is your host, Dave Lynn. I’m co-chair of Morrison & Foerster’s Corporate Finance Capital Markets practice. And I’m very pleased to be joined today by Alex Iftimie and Brandon Van Grack, who are my colleagues here at Morrison & Foerster. Alex is co-chair of Morrison & Foerster’s Global Risk and Crisis Management group. Alex’s practice involves advising clients on cyber and U.S. national security matters, internal investigations, and government enforcement actions. Prior to joining Morrison & Foerster, Alex held several senior positions at the Department of Justice, including Counselor to the Attorney General, Deputy Chief of Staff and Council to the Assistant Attorney General for National Security, and Special Assistant United States attorney in the Eastern District of Virginia. Brandon is also co-chair of Morrison & Foerster’s National Security and Global Risk and Crisis Management group. Brandon’s practice focuses on investigations; criminal defense; and compliance matters involving export controls and sanctions, foreign investment, and cyber instance. Brandon’s held multiple senior positions in the Department of Justice, including Chief of the Department of Justice’s Foreign Agent’s Registration Act unit. Alex and Brandon, thank you very much for joining me for the Above Board Podcast.

Brandon Van Grack: Thanks for having us.

Alex Iftimie: Good to be with you.

Dave Lynn: Today, our focus is on the always exciting world of cyber security, and cyber security has been a topic we’ve covered before on the Above Board Podcast, because it really is a topic that’s been on the radar for boards of directors for some time now, but I think 2021 has really raised the stakes for boards to a whole of new level, as a result of many of the cybersecurity developments that have been going on. What are some of the key cybersecurity threats that boards of directors should be focused still right now?

Alex Iftimie: Dave, I’m happy to take a first pass at that. This is Alex Iftimie. I’d say that as you noted, Dave, cyber issues have been on boards’ radars for quite some time. And so the question really is, well, what’s new and different about 2021? And from my perspective, I would say two main things. One is a focus on ransomware threat, and certainly ransomware has been around for many years, but the sheer size of the problem, both in terms of the number of attacks and the number of groups that are responsible for these attacks, as well as the amount of ransoms that are being demanded have turned ransomware into the cybersecurity threat of the year, and certainly the one that is getting the most focused attention appropriately so from boards and from senior management. Second, I would say that supply chain issues are an issue that is getting increased attention among boards, board members, and senior management.

Alex Iftimie: And that feeds off of the solar winds compromise from late 2020 that was used by the Russian Intelligence Service to—as a means of getting into the systems of hundreds of companies across the United States and across the world. And it put into stark focus the fact that companies need to think about not just are their own systems secure, but what are the types of risks and vulnerabilities that they’re bringing into their networks as a result of the software they use, as a result of the vendors that they partner with, and as a result of third-party entities that may have access to their network.

Brandon Van Grack: And when you ask the cybersecurity threats for boards, in many circumstances, the response would be, well, it depends what companies we’re talking about because not all cyber threats are created equal. Not all actors in this space are created equal, and oftentimes some of the most sophisticated of attacks would be nation states attacks connected to foreign governments. And there are many companies that would not necessarily be the focus or target of those. But when you talk about the two areas that Alex just talked about, it is difficult to think of a company that could not, would not, or is not affected. Ransomware, for example, or ransomware attacks, they’re not looking for, necessarily, sensitive information or defense technology or access to the U.S. government or sensitive personal data that’s connected to individuals that they could connect to espionage on. It’s a for-profit enterprise.

Brandon Van Grack: These are sophisticated criminal syndicates that have discovered that they can make a profitable living doing this work. And, in fact, ransomware groups sort of adopted the comparative advantage of private industry and they have different roles and responsibilities based on different groups in terms of who creates the malware, who is involved in reaching out and making the threats. It just, at this point, again, the point being their sole goal is to make money and therefore every single company is in a potential attack vector. And it’s the reason why without more information, ultimately, more so than pretty much any other cybersecurity threat, ransomware attacks should be a priority for every single board. And then just on the second point in terms of supply chain, it’s the same reason, same point as Alex made, which is supply chain is an issue for every company. And it is a vulnerability that unfortunately, as we have come to recognize and appreciate, boards need to pay particular attention to.

Dave Lynn: What role should boards be playing in dealing with a cyber incident like a ransomware attack?

Alex Iftimie: Well, Dave, I’d say, when we talk to boards about these types of incidents and incident response in particular, the key time for them is before an incident and after an incident. The reality is that the role of directors in executing an investigation to understand what happened and to respond to a cyber incident is very limited. Certainly, they should be briefed on what’s going on a regular basis. They should understand what the company is doing. They will certainly have questions about a company’s response, but really the immediate aftermath of an incident, the response efforts will fall on management and they’ll fall on the IT and security teams of an organization. But there’s a lot that boards should be thinking about before and after an incident. For example, before an incident, we talked to a lot of boards about what they can do to understand the risks that they’re facing to make sure that a company is taking reasonable precautions in light of the specific risks that a company is facing.

Alex Iftimie: And I think this feeds off of Brandon’s point that no two companies are identical and the goal of boards of directors is not just to think about, well, what is the baseline that every company should adhere to, but rather to think about the specific risks that a company faces and to think about the extent to which it’s appropriate for a company to mitigate those risks. So their goal should be to set the tone for an organization and to ensure that an organization is taking cybersecurity issues seriously, and that they’re treating them as an enterprise risk that affects any number of areas of a company, rather than just as an IT security issue. They should also be thinking about, how are these risks being communicated to the board. And so we’ve seen organizations do things differently.

Alex Iftimie: A lot of organizations have cyber security risks elevated to the audit committee, but we’re also seeing a growing number of companies that have these types of issues be raised to a risk or a technology or a cyber security committee. And to make sure that they’re getting accurate information and timely information on a regular basis that allows them to fulfill their responsibilities. I’ll add to that. We’ve seen a lot of boards of directors be interested in doing tabletop exercises and playing out what an incident would look like for their organization and what the escalation of information and the lines of communication would look like between a management team and the board of directors. And then thereafter, boards really should be thinking about what do they do post-incident and how not to let a good crisis go to waste? So boards have often played a role in making sure they understand what was the cause of the incident. What could the company have done better to avoid the incident in the first place, and what can they be doing going forward to strengthen their environment and to reduce the risk to the organization going forward.

Brandon Van Grack: Once again, to sort of emphasize a few of Alex’s points, not all cybersecurity incidents are the same. And one of the biggest challenges when it comes to managing a particular crisis or cybersecurity incident is the decision making. And ultimately the issue is oftentimes there are too many individuals who view themselves as decision makers, or stated differently, it’s unclear in the organization who the right decision makers are. And so reinforcing Alex’s point, the role of the board isn’t necessarily in the middle of an incident to become yet another decision maker, but in fact, to address all of the issues on the front end. And I think circling back to the ransomware issue, it’s, I think, particularly critical to have asked the right questions and make sure the right preparation has been done on the front end because a ransomware attack truly is and creates a crisis in a way that’s not necessarily the same for all cybersecurity incidents.

Brandon Van Grack: And again, it gets to the dynamic of a ransomware attack. A cybersecurity incident, depending on who the actor is and their motivation oftentimes may be there quietly. And oftentimes a company may, in fact, have time when it has been identified to figure out their right way to address all of the issues related to that, in terms of finding out how they got in, addressing the issue, communicating with customers, communicating with the public, and all those concerns in a ransomware attack, the goal, because it is to pay, they purposely try to squeeze the timeline so that it becomes, in fact, a crisis. So you have less time to make those decisions to determine how to address it, because ultimately, that chaos a inures to their benefit, forces you to pay say higher premium on getting the information you or getting the encryption key that you need in order to go back to normal. And so the preparation on the front end is critical ultimately for when one of those crises does strike.

Dave Lynn: What actions do you expect to see from the U.S. government with respect to cybersecurity in the near term?

Brandon Van Grack: Well, Alex, let me start on that one, which is one of the things that we have seen, but we expect to see not only immediately, but sort of expect the U.S. government to lean heavily on are sanctions. Economics sanctions. These are the tools that, for example, are the basis for prohibiting the export of goods to Iran. It is a broad tool the U.S. government has, and it is typically the, if not first, one of the primary national security and foreign policy tools that the U.S. government has. And we have seen now cybersecurity and, harping on theme from today, ransomware attacks, have in fact become a national security issue. And so there have been some sanctions of groups, with respect to who perpetrated ransomware attacks, but the U.S. government has announced that they are now intending to lean even heavier on sanctions with respect to this issue.

Brandon Van Grack: And so we expect to see and continue to see now once they sort of cross that line truly, I would expect to see sanctions on all manner of persons and parties connected to ransomware attacks. I don’t want to overstate that because there’s a limit to how far the U.S. government is likely to go, because if they sanction too many entities, if they make it too difficult or unlawful for companies to pay ransoms, then ultimately they will, in essence, be outlawing ransomware payments. And that is not the objective or at least what I perceive the objective to be of the government. They certainly, though, are going to look for ways to make it more difficult, and, in particular, target ransomware actions or actors who go after or sort of cross lines such as impacting critical infrastructure. And again, I think that not only have we seen the U.S. government recently making announcement on that, but I think that’s probably a line that now that they’ve crossed, they’ll continue to push in that direction. What do you think Alex?

Alex Iftimie: Well, I certainly agree with sanctions being a big part of what the government is planning to do just to fill out some other areas that we’re tracking. I mean, it—the question in some ways is really how is each agency at the federal level and a number of agencies at state government levels, how are each of them responding to what has become an epidemic of cybersecurity incidents, both ransomware attacks and supply chain attacks, and others. And we’re seeing the Biden administration flex its muscle in a number of ways in trying to demonstrate how the government can do more to support companies. And that creates a difficult regulatory landscape for companies to operate in, because it means that you have agencies like the FBI and CISA, who are interested in getting notifications from victims and working with victims to understand what happened to benefit their goals of trying to share information with other companies and to protect the nation. We’ve got agencies like the FTC and the SEC that are each flexing their unique authorities to deal with the cybersecurity issues that that we’re facing today.

Alex Iftimie: So for example, the FTC under the new Chair Lina Khan is focused on consumer protection in identifying cases where representations that companies are making about the level of cybersecurity they have or of the protections they have for personal information and other information amount to unfair or deceptive practices. And state attorneys general are focused on that, too. The other one that I think is of particular interest to boards is what the SEC is doing. And they have been focused. And I think, Dave, you may be in a great position to talk about this as well, in terms of scrutinizing what companies are disclosing to investors about cybersecurity incidents that they have experienced, as well as the cybersecurity risks that they face, as well as whether companies have appropriate disclosure controls in place to make sure that when a company experiences a cybersecurity incident, that accurate and complete information about those incidents is being communicated to appropriate senior management and to the board that are responsible for making disclosures and certain certifications to the SEC. And among the various things that the SEC is doing, for example, is an enforcement sweep related to the solar winds compromise that we’ve touched on already, in which hundreds of companies who are or were solar winds customers are being asked for detailed information regarding when those companies learned about the solar winds compromise, whether the companies suffered their own incident as a result of the solar winds events, and third, what those companies did to respond to that incident.

Alex Iftimie: And we’re hearing that that effort by the SEC is both intended to identify perhaps companies that did not disclose material information about a solar winds-related compromise that they may have experienced, but it also feeds into a broader effort by the SEC to develop new rule making related to disclosures and disclosure controls and to take another step forward since the SEC’s guidance in 2018.

Dave Lynn: Great, thank you both very much for all of those insights. I really appreciate taking the time to join me here today.

Speaker: Please make sure to subscribe to the MoFo Perspectives podcast so you don’t miss an episode. If you have any questions about what you heard today, or would like more information on this topic, please visit MoFo.com/podcasts. Again, that’s MoFo, M-O-F-O.com podcasts.