In the Wake of the Shirbit, FireEye and other Cyber Security Attacks, Management Should Start Preparing
By Gadi Meroz*
In 1907 Edward Smit was quoted to say: “In all my experience, I have never been in any accident… nor was I ever in any predicament that threatened to end in disaster of any sort.”
Five years later he was commissioned as Captain of the RMS Titanic.
In the last few weeks we have witnessed a growing number of high-profile cyber-attacks targeted against a host of companies in varied geographies with a common primary intent to embarrass and disgrace such companies and with a secondary intent to extort financial gain from the victims..
The average organizational cost of a data breach in 2020 was approx. $3.9M with an average discovery time of 280 days.[1] That means that, on average, it took the organization more than three calendar quarters to identify that it had been attacked!
Losses from data breaches may result from several items. Regulatory fines, resulting from a breach of the organization’s database, dissemination of sensitive and private data into the public domain and consequently individual and commercial law suits. Operational loss resulting from the harmful impact to core organizational assets, slow-down or shut-down of operations of business units and denial of service to the organization’s customers. Loss of reputation either by negative publicity of event, loss of public and customers’ trust and declining stock performance and devaluation.
Loss can occur from a combination of all the above.
Obviously, shortening the response time by any amount will have a significant impact on the cost structure of the organizational loss. And although the loss structure is not linear by nature, just by simple math with the numbers above, each week of efficient threat detection and response could save significant monetary loss.
Shortening response times can be achieved by organization preparation and most importantly by management response simulations. We have identified five key elements of such organizational preparation:
- Identify organizational assets and systems
- Deploy monitoring and control systems
- Identify in advance crisis-management partners and advisors
- Own your dedicated crisis playbook
- Practice and drill your IT and management in taking key business decisions in a cyber-event
In most – if not all – jurisdictions, the regulators place the ultimate responsibility on the Board of Directors and/or the CEO personally. In fact Gartner predicts that by 2024 “Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75% of CEOs . . . .”[2]
To achieve adequate protection for the organization, a mix of technology and legal solutions are needed. It is, therefore, up to the legal counsel, together with his/her professional advisers, to provide and make available to the organization and its officers, the appropriate protective legal measurements and practices. These can be in the form of policies, charters and training tools.
* Gadi Meroz is Counsel to SLG’s Tel Aviv Office, where he focuses on cybersecurity, commercial, and corporate matters. From 2010-2019, Gadi served as Vice President and General Counsel to Radware Ltd. (NASDAQ: RDWR), a global cybersecurity leader. Gadi has deep experience in guiding corporations on their cyber preparedness activities. For more information, please contact Gadi at gmeroz@shelgroup.com.
[1] See IBM Security & Ponemon Institute LLC, Cost of a Data Breach Report 2020, IBM Security, 5 (July 2020), https://www.ibm.com/security/digital-assets/cost-data-breach-report.
[2] Press Release, Gartner, Inc., Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024 (September 1, 2020), https://www.gartner.com/en/newsroom/press-releases/2020-09-01-gartner-predicts-75–of-ceos-will-be-personally-liabl#:~:text=Liability%20for%20cyber%2Dphysical%20security,of%20property%20or%20environmental%20disasters.