curity rules promulgated by and through the Federal Acquisition Regulations and cybersecurity standards enacted by the National Institute of Standards and Technology (NIST), including special incident-notice obligations. Energy sec- tor companies may be subject to special rules by the Federal Energy Regulatory Commission or the Nuclear Regulatory Commission, and businesses process- ing healthcare data are likely to be sub- ject to minimum safeguards established by the Health Insurance Portability and Accountability Act (commonly known as HIPAA) and the Health Information Technology for Economic and Clinical Health Act. Act. In Europe, the Gen- eral Data Protection Regulation and the Safeguards Rule establish minimum secu- rity requirements for data concerning EU citizens.
Large organizations with sophisti- cated cybersecurity preparedness policies and procedures must stand ready to inter- act with regulators in the event of a cyber- security incident. For example, financial sector companies may need to provide no- tice to multiple state and federal agencies:
• The New York State Department of Financial Services requires covered entities to provide notice within 72 hours of cybersecurity events that are reasonably likely to materially harm a material part of the covered entity’s operations.1
• The Financial Industry Regulatory Authority (FINR A) advises covered firms to immediately notify FINR A and the FBI of any “disruptive attack or breach.”2
• The Gramm-Leach-Bliley Act re- quires notice to consumers where there is unauthorized access to information maintained by the business that could result in substantial harm or inconve- nience.3
• State attorneys general can assert ju- risdiction over nearly any cybersecurity incident in the United States that in- volves unauthorized access to or acqui- sition of sensitive personally identifying information.
Nearly every company has some sort of “crown jewels” data that merit special attention and protection from cybersecu-
Having well-established plans and procedures in place for managing and responding to cyber intrusions and attacks is a critical first step toward being prepared to weather a cyber incident.
rity threats. Even companies that don’t consider their data of interest to intrud- ers have information systems that can attract criminal hackers. Over the past several years, cyber criminals have increas- ingly targeted companies and non-profits through schemes designed to steal money from unsuspecting billing and treasury departments. Through these schemes, an executive’s email is compromised or mimicked, and instead of seeking to steal information, emails are sent to key offi- cials requesting payment to a new vendor or changes in bank wiring instructions. The officials believe they are wiring funds to a trusted partner, when the account is actually controlled by criminals. On Sep- tember 10, 2019, the FBI announced 281 arrests in “Operation reWired,” an inves- tigation aimed at stopping international criminal schemes that target individuals who may have access to company finan- cial systems. “The sweep resulted in the seizure of nearly $3.7 million and the disruption and recovery of approximately $118 million in fraudulent wire trans- fers,” according to the announcement.4 Second Attribute: Benchmarking Success
Second, organizations that success- fully manage cybersecurity risks develop a metric or benchmark to evaluate how well cybersecurity issues are being ad- dressed. Often, this occurs by adopting a third-party standard. For example, NIST
publishes the Cybersecurity Framework, which is designed to be a universal set of cybersecurity functions and controls that organizations can use to evaluate their own cybersecurity health: “The Frame- work focuses on using business drivers to guide cybersecurity activities and consid- ering cybersecurity risks as part of the or- ganization’s risk management processes.”5
By measuring cybersecurity prepared- ness against third-party metrics like the Framework, organizations can demon- strate to executives, board members, customers and regulators that they are taking reasonable steps to manage cyber- security threats. And company leadership can look to such benchmarking tools as mechanisms to evaluate how risks are be- ing managed without needing substantial technical expertise related to IT systems and related security issues.
Third Attribute: Creating Plans and Procedures
Third, successful organizations create cybersecurity plans and procedures. Most notably, such organizations have policies in place so that successful procedures are institutionalized and critical informa- tion about cybersecurity is appropriately shared within the organization. The De- partment of Justice makes the same point in guidance to industry: “Having well- established plans and procedures in place for managing and responding to cyber intrusions and attacks is a critical first step toward being prepared to weather a cyber incident.” 6
Of course, this is easier said than done. When organizations face a serious cyber threat, particularly large and complex businesses, several risks may need to be managed all at the same time, such as:
• Containing the threat and mitigat- ing potential damage;
• Discerning the scope of the problem; • Reaching out to business partners/ customers;
• Communicating with the market/ investors;
  • Engaging
agencies;
• Hiring a forensic firm (through counsel);
• Evaluating regulatory and end-user notice obligations; and
with law
enforcement
SPRING 2020 DELAWARE LAWYER 11