Articles SPOTLIGHT on ZEK Firm Capability — Cybersecurity By Daniel B. Garrie | January 5, 2015 CYBER ACTION ALERT FOR CORPORATE BOARDS AND CEOS Legal Prudency Requires Tapping A New Breed of Cyber-Techno Attorneys – – Billions At Stake As Legal and Technical Demands Coincide By Daniel B. Garrie, Esq.*(see bio below), Co-head of Cyber Security Practice at NYC’s Zeichner, Ellman & Krause LLP (ZEK*- see below), Editor-in-Chief of the Journal of Legal Technology Risk Management and the Journal of Law and Cyber Warfare. The recent cyber hacking so far in 2014 of Alcoa Inc., Allegheny Technologies Inc., Dominos Pizza, eBay, Home Depot, JP Morgan, PF Changs and Sony Playstation, to name just a few, reflects the ugly reality that today virtually every company has either been hacked or doesn’t know they’ve already been hit. On June 10, the prestigious Center for Strategic and International Studies estimated the annual worldwide cost of cybercrime was more than $ 445 billion. Three long years ago Juniper networks found that 90% of companies had been hit by hackers at least once – – from retailers, to financial and financial service firms, restaurants, manufacturing, transportation, utility, information and professional services firms. Prominent New York-area media and financial corporate names recently cited in the news reports as having been targeted by hackers or actually breached include the New York Times, Wall Street Journal, NBC and Morgan Stanley, to name a few. Cyber security attacks can no longer be the exclusive domain of the CIO. The risks are too great. The Board and CEO must provide more than guidance – they must provide active oversight to assure that their enterprises have prudently taken all reasonable measures to protect themselves. Increased scrutiny and pressure from corporate Boards, government agencies like the SEC and the FTC and from financial advisors and insurance companies are creating a sea tide change. Importantly, the SEC has sharpened its focus on cyber security preparedness. Specifically, regulation of disclosure by public companies may soon address cyber security as a material risk that needs to be fully and properly disclosed. A special new cadre of attorneys is required to help Boards and CEOs protect their companies from the vast legal and reputational liabilities that flow from cyber security vulnerabilities. This specifically means that cyber attorneys must be both technologically savvy and fluent in the associated legal issues and risks. To be effective for boards and CEOs, lawyers today must fully understand all the technological implications of cyber security. Absent full understanding of cyber technology, attorneys are ill-equipped to properly advise and protect companies regarding the legal and regulatory issues involved. Those issues are multiplying and complex. They range from compliance with government and industry regulatory bodies to litigation arising from lawsuits by customers, employees, shareholders, vendors, joint venture and other corporate partners whose personal data, proprietary information, intellectual property, or confidential policies and procedures have been lost, compromised, and/or held hostage. Attorneys must be able to address and resolve such central legal cyber issues as: what are a firm’s overall cyber security governance policy and systems? what are the technology, training and personnel, process, policy and procedure steps – – including vulnerability gap assessments – – that a business, government entity or institution needs to take to pass the test of reasonable prudence when it comes to protecting everything from networks and information, remote customer access and funds transfer requests, to the security of the policies and systems of vendors and other third parties who have access to your network or sensitive information? Particularly as they may relate to cyber security litigation? what are the readiness standards that companies must follow to ensure proper performance regarding meeting new SEC “voluntary suggestions” or FTC’s more aggressive enforcement policies regarding adequate cyber security for customers’ personally identifiable information? what constitutes “cyber negligence” on the part of companies faced with cyber security threats – what determines whether companies have taken the necessary steps to assess vulnerabilities, prepare for and defend against cyber attack, and are these steps sufficient to cause cyber insurance carriers to pay on cyber claims? what are the circumstances under which Boards of Directors can be held liable or thrown out for failure to ensure corporate information systems are protected from attack? what constitutes proper and adequate cyber security governance and identification of risks – including proper practices for early warning monitoring in detecting unauthorized activity, how to protect such critical infrastructure as networks, software network resources and remote customer access, as well as funds transfer requests, among others? and what are the proper cyber security roles and responsibilities inside each company, and how should companies determine whether they have the right people with the right training? Cyber systemic risks today are virtually unprecedented, crossing geographical boundaries and affecting multitudes of companies in a single event. The time is here for the “Cyber Techno-Attorney,” especially with the SEC now beginning to look at cyber security in the context of disclosure of material risks. Short bio missing
SPOTLIGHT on ZEK Firm Capability — Cybersecurity By Daniel B. Garrie | January 5, 2015 CYBER ACTION ALERT FOR CORPORATE BOARDS AND CEOS Legal Prudency Requires Tapping A New Breed of Cyber-Techno Attorneys – – Billions At Stake As Legal and Technical Demands Coincide By Daniel B. Garrie, Esq.*(see bio below), Co-head of Cyber Security Practice at NYC’s Zeichner, Ellman & Krause LLP (ZEK*- see below), Editor-in-Chief of the Journal of Legal Technology Risk Management and the Journal of Law and Cyber Warfare. The recent cyber hacking so far in 2014 of Alcoa Inc., Allegheny Technologies Inc., Dominos Pizza, eBay, Home Depot, JP Morgan, PF Changs and Sony Playstation, to name just a few, reflects the ugly reality that today virtually every company has either been hacked or doesn’t know they’ve already been hit. On June 10, the prestigious Center for Strategic and International Studies estimated the annual worldwide cost of cybercrime was more than $ 445 billion. Three long years ago Juniper networks found that 90% of companies had been hit by hackers at least once – – from retailers, to financial and financial service firms, restaurants, manufacturing, transportation, utility, information and professional services firms. Prominent New York-area media and financial corporate names recently cited in the news reports as having been targeted by hackers or actually breached include the New York Times, Wall Street Journal, NBC and Morgan Stanley, to name a few. Cyber security attacks can no longer be the exclusive domain of the CIO. The risks are too great. The Board and CEO must provide more than guidance – they must provide active oversight to assure that their enterprises have prudently taken all reasonable measures to protect themselves. Increased scrutiny and pressure from corporate Boards, government agencies like the SEC and the FTC and from financial advisors and insurance companies are creating a sea tide change. Importantly, the SEC has sharpened its focus on cyber security preparedness. Specifically, regulation of disclosure by public companies may soon address cyber security as a material risk that needs to be fully and properly disclosed. A special new cadre of attorneys is required to help Boards and CEOs protect their companies from the vast legal and reputational liabilities that flow from cyber security vulnerabilities. This specifically means that cyber attorneys must be both technologically savvy and fluent in the associated legal issues and risks. To be effective for boards and CEOs, lawyers today must fully understand all the technological implications of cyber security. Absent full understanding of cyber technology, attorneys are ill-equipped to properly advise and protect companies regarding the legal and regulatory issues involved. Those issues are multiplying and complex. They range from compliance with government and industry regulatory bodies to litigation arising from lawsuits by customers, employees, shareholders, vendors, joint venture and other corporate partners whose personal data, proprietary information, intellectual property, or confidential policies and procedures have been lost, compromised, and/or held hostage. Attorneys must be able to address and resolve such central legal cyber issues as: what are a firm’s overall cyber security governance policy and systems? what are the technology, training and personnel, process, policy and procedure steps – – including vulnerability gap assessments – – that a business, government entity or institution needs to take to pass the test of reasonable prudence when it comes to protecting everything from networks and information, remote customer access and funds transfer requests, to the security of the policies and systems of vendors and other third parties who have access to your network or sensitive information? Particularly as they may relate to cyber security litigation? what are the readiness standards that companies must follow to ensure proper performance regarding meeting new SEC “voluntary suggestions” or FTC’s more aggressive enforcement policies regarding adequate cyber security for customers’ personally identifiable information? what constitutes “cyber negligence” on the part of companies faced with cyber security threats – what determines whether companies have taken the necessary steps to assess vulnerabilities, prepare for and defend against cyber attack, and are these steps sufficient to cause cyber insurance carriers to pay on cyber claims? what are the circumstances under which Boards of Directors can be held liable or thrown out for failure to ensure corporate information systems are protected from attack? what constitutes proper and adequate cyber security governance and identification of risks – including proper practices for early warning monitoring in detecting unauthorized activity, how to protect such critical infrastructure as networks, software network resources and remote customer access, as well as funds transfer requests, among others? and what are the proper cyber security roles and responsibilities inside each company, and how should companies determine whether they have the right people with the right training? Cyber systemic risks today are virtually unprecedented, crossing geographical boundaries and affecting multitudes of companies in a single event. The time is here for the “Cyber Techno-Attorney,” especially with the SEC now beginning to look at cyber security in the context of disclosure of material risks. Short bio missing