It was the mother lode among corporate cyber-attacks: Yahoo!’s announcement late last year that it had been victimized by two separate data breaches. The first attack, which occurred in 2014, impacted more than 500 million Yahoo! user accounts, while the second one, in August 2013, affected roughly 1 billion user accounts.
The potential liabilities Yahoo now faces would make even the most grizzled corporate attorneys cringe. The two attacks — together, the largest known security breaches of one company’s computer network — have sparked against the tech giant. They also put Verizon’s $4.83 billion pending acquisition of Yahoo! in jeopardy. Yahoo!’s hacking episode, of course, was just the latest in a Murderers’ Row of cyber-attacks on mega-brands such as Home Depot, Sony and Target within the past couple of years. Yet despite the untold damage and dislocation caused by cyber-crime, many companies tend to downplay the threat.
The Cyber-Threat to Come
The threat to date, as massive as it has been, is lightweight compared to what is in store. Up until now, the risk has largely been data that has been compromised, with companies reflexively offering free credit reporting. It’s not just the massive size of the breaches that are coming next or the systemic breadth, but the harm. Real financial loss, not just informational; life, health and safety, as hospital systems are hacked and national security systems get compromised. Much sooner than companies are prepared for, free credit reporting is going to become not just an inept response, but an offensive one.
Taking a defensive, reactive approach to cybersecurity is not just offensive to stakeholders. It can cost the company dearly. According to , cybercrime will cost businesses $2.1 trillion globally by 2019, increasing to almost four-times the estimated cost of breaches in 2015. The average cost of a data breach in 2020 will exceed $150 million, as more business infrastructure gets connected.
To be sure, large and publicly traded companies are getting better at understanding the cybersecurity threat and how to inoculate their data systems from a computer breach. But some boards are quick to isolate the issue within the IT department and fail to recognize that cybersecurity is a companywide risk affecting multiple stakeholders.
According to , cybercrime will cost businesses $2.1 trillion globally by 2019, increasing to almost four-times the estimated cost of breaches in 2015. The average cost of a data breach in 2020 will exceed $150 million, as more business infrastructure gets connected.
The somewhat lax attitude that many companies have regarding cyber-hacking presents an enormous opportunity for General Counsels and corporate attorneys to develop their brand’s cybersecurity strategy and fill what can be a very dangerous void.
“Is the CEO and the board committed to cybersecurity or is it just another line item that will get funded, but without the personal leadership that’s required?” asks Jim Trainor, senior VP for Aon Risk Solutions and former assistant director for the cyber division at the Federal Bureau of Investigation (FBI).
Working closely with senior communicators (either in-house or agency), brand managers and computer engineers, GCs and corporate attorneys can help to create clear lines of communication (and translation) when it comes to cybersecurity and establish who owns what in the event of a computer breach.
“Speed really matters for brands that want to limit the amount of infection [caused by a cyber-attack],” Trainor adds. “Companies may want to bring in a third-party vendor, so when a data breach happens everybody knows the rules of the road in terms of the impact on the operating system.”
Cyber-Education is Crucial
Another key role attorneys can play to bolster their company’s cybersecurity: Encourage crisis management planning for a computer breach. That helps to extrapolate the level of risk organizations might face and determine how prepared they are for a cyber-attack (or not).
Indeed, a major obstacle to effective cybersecurity is that too many boards of directors and C-level execs have not been effectively educated about the reality of cyber-attacks and are under the delusion that it won’t happen to their company.
With that in mind, here’s a few tips for GCs and corporate attorneys to arm themselves when it comes to educating boards of directors and C-suite executives on how to establish or reinforce their cybersecurity strategy.
Account for so-called “dwell time,” or the period it takes for a company to realize that its computer systems have been hacked, which often takes months or, in some cases, years.
Consider whether the company has the resources — both financial and human — to combat cyber-crime for the long haul and how to work more effectively with network providers to assist and improve the company’s cyber-defenses. GCs and corporate attorneys must foster a team mentality so when there is a computer breach all disciplines know what role they must play and there are no surprises among employees, partners and other stakeholders.
Brands and organizations remain quite vulnerable to cyber-crime. As soon as companies embolden their computer defenses, hackers seem to find new ways to get under the hood and cause more damage.
Such damage includes—but is not exclusive to—an erosion in the company’s stock price, a loss in credibility and a reduction in trust among consumers and customers. That’s a trifecta that GCs can ill-afford.
To a significant degree, cyber-attacks are inevitable. It’s not a matter of if, but when and how severe the toll. The rub is putting protocols in place for how to mitigate the damage once it’s done, contain the fallout and communicate to stakeholders what the company is doing to remedy the situation. It’s a strong case for GCs and corporate attorneys to make to the inner sanctum sanctorum — and greatly enhance their value to upper management in the process.
The war on cyber-crime is just beginning. How does your cybersecurity stack up?