First Cybersecurity Legal Institute reveals best practices to avoid becoming a victim.
The following article was originally published by CyberInsecurity News editor-in-chief David Hechler, who participated in the institute. It is reprinted with permission and has been edited for length and clarity. To read the full article, including an interview with Dean Rob Wilcox, visit cyberinsecuritynews.com/law-school-cybersecurity.
In April, the University of South Carolina School of Law’s Cybersecurity Legal Taskforce held its first Cybersecurity Legal Institute, aimed at helping lawyers, business owners and information technology professionals know how to protect themselves from becoming the victim of a cyberattack. The daylong conference covered ransomware, cyber insurance, business email compromise, artificial intelligence, third-party vendor risks and the California Consumer Privacy Act.
Here are a few highlights:
Maneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Theft, was one of two keynote speakers. Mithal reviewed some of the 60 enforcement actions the FTC has pursued. She also explained the policy work her organization undertakes, involving education and advocacy, that leads to studies, recommendations and testimony before Congress.
The other speaker was Daniel Sutherland, chief counsel of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Sutherland talked about CISA’s responsibilities and the emerging threats it’s working to address. Three big ones, he said, are supply chain risk, election security and the conflict between law and technology.
Artificial intelligence is already here
Andrew Arruda, co-founder and CEO of ROSS Intelligence, talked about ways artificial intelligence can perform tasks that save lawyers from hours of tedium, but was quick to address a common anxiety: lawyers will not be replaced by machines any more than bank tellers were replaced by ATMs. Because only 20 percent of Americans who need legal services can afford them, AI may help cut the costs.
It’s just another way of delivering legal services, he added. “It will lead to, in my opinion, more jobs in law.” But they won’t look exactly the same. “AI is not going to replace lawyers,” he concluded. “Attorneys who use AI will replace those who do not.”
The truth about cyber insurance
The cyber insurance panel was filled with warnings, as might be expected given the topic. Joe DePaul, head of FINEX cyber/E&O, North America, said the subject is overrun with misinformation. Many articles on cyber insurance talk about policies that were not actually cyber policies, he noted.
Abigail Oliver, assistant vice president of cyber underwriting at AXIS Capital, talked about how quickly expenses can mount after a breach. Forensics alone can be very expensive, and public relations bills can add up. Then there’s legal advice, lost income and business interruption.
Panelists also agreed that you should consult your lawyer early and often, including when you’re considering the coverage you need and reviewing the terms. For example, breaches are sometimes called “cyber terrorism,” said Andrea DeField, an associate at Hunton Andrews Kurth. You’ll want to be sure this language is covered.
Other tips? DeField pointed out that many policies don’t cover breaches where an employee’s personal device was involved. Companies are wise to make sure that there isn’t a BYOD exclusion. And DePaul noted that if a company is hit with a ransomware demand, it’s going to need a Bitcoin wallet if it decides to pay the ransom.
He asked for a show of hands of everyone whose company has a Bitcoin wallet. No hands went up.
Tabletop set with humor
The day’s final session was a tabletop exercise — or rather a talk about how one works — led by three cyber specialists from Kroll. Isaiah Jensen said that successful hackers sometimes have a problem selling stolen data. But that’s the beauty of ransomware, he said. “They’ve actually found the perfect person to sell your data to. Turns out the perfect person is you!”
Keith Novack reviewed the protocols you want to follow after a cyberattack is detected. The incident response plan must be accessible and clear, and arrangements with third-parties should always be set in advance, Novack emphasized. “Googling ‘forensics’ during an attack is not the way to go.”
One of the most important points, Jensen underscored, is having an offline backup that’s easily accessible. And the key decisions are who will declare an incident, when it will be declared and whether to pull the plug on the network. This should be a business decision, he said, not an IT decision. Who makes that call should be set in advance, and it’s best if the executives are involved at that point, so the lines of authority are clear.
Some gaps are almost always uncovered during a tabletop exercise, said Greg Michaels. Part of the point of doing them, he noted, is to find the gaps and work to correct them.
And while they were talking about lessons learned, Jensen lightened the mood one more time. “The best time to do lessons learned is after a tabletop exercise,” he said. “The second best time is after an actual attack.”