Cybersecurity Enforcement in Action: Insights for Companies

Last month, Paul Hastings sponsored the Cybersecurity Law Workshop at the Spring Privacy & Security Forum held at George Washington University in Washington, D.C. The Cybersecurity Workshop featured three panels of experts from both the public and private sectors who offered insight into the various cybersecurity issues companies face on a day-to-day basis.

The first panel, “Cybersecurity Enforcement in Action: Perspectives from Regulators and the USIC,” was moderated by Michelle Reed, a partner at Paul Hastings, and featured panelists Rick Evanchec, section chief at the Federal Bureau of Investigation, and Laura D’Allaird, chief of the Cyber and Emerging Technologies Unit at the Securities and Exchange Commission.

Throughout the discussion, the panelists laid out the actions companies should take when responding to a cybersecurity incident.

Timely Communication With Regulators and US Intelligence Community Should Be a Top Company Priority

From an FBI perspective, engaging with the “victim” company in a timely manner to collect evidence and prevent further impact is extremely important. Similarly, in requiring that companies make disclosures within four days of reaching a materiality determination, the SEC is focused on whether investors have enough information on cybersecurity incidents to make important decisions about their investments to create and maintain a resilient and strong market.

Early communication can also be helpful in the incident response itself. Particularly in the event of a ransomware attack, the FBI may have the necessary decryption keys, or they may be able to assist with negotiations. Often, the quickest and easiest way to engage with the FBI is through the local field office, and companies are advised to build a relationship with those points of contact now before an attack occurs.

From the SEC perspective, communications with the FBI do not automatically mean that the incident is “material.” Rather, in reviewing a disclosure regarding a cybersecurity incident, the SEC will look at the big picture, including a focus on what mitigations have been implemented, how the response has been documented and who has been involved in the decision-making surrounding the incident response. At times, and in coordination with counsel, it may also be appropriate for a company to schedule a presentation with the SEC that can be helpful in providing context and scope to the investigation.

Emerging Technologies Lead to New Threats, but Don’t Forget About the Basics

Ransomware will continue to be a big issue, especially where the attackers are operating out of safe harbor nation-states, as will other emerging technologies like artificial intelligence, crypto and blockchain that are providing new avenues for data exfiltration. However, there is also emerging risk from failures to follow cybersecurity best practices, including with respect to remote workers and end-of-life software and hardware. It is important for companies to remember that even the smallest vulnerability can still have significant cybersecurity consequences.

Our Privacy and Cybersecurity practice regularly advises companies on key cybersecurity best practices and incident response. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.