By: Jessica K. Nall, Chair, White Collar Defense and Corporate Investigations practice and Aviva J. Gilbert, Senior Associate, White Collar Defense and Corporate Investigations practice, Farella Braun + Martel[1]

Several years ago when cybercrime and attacks on corporate information and funds were less common, corporate counsel may have been justified in expecting the government to take a leading role in efforts to identify, locate, and bring to account the perpetrators, especially in cases of large-scale attacks or financial losses.  Fewer cybercrimes to investigate and prosecute meant that both state and federal governments had more resources to dedicate in partnering with companies victimized by cybercrime and supporting companies’ efforts to recoup losses, especially if attempts to remediate thefts were made quickly after discovery. Fast forward to the present and the skyrocketing pace and increasing complexity of cyberattacks—and cybercrime’s global nature—has understandably strained the government’s ability to offer that support. The natural, and serious, consequence is that corporate counsel, both inside and outside the company, are left to manage the investigation and possible fallout from cyberattacks without being able to count on immediate government intervention. This decreasing safety net puts an even greater premium on counsel’s meaningful intervention to prevent losses before they occur, and also means that company counsel, not the government, will be spearheading efforts to staunch bleeding and recoup losses where money is actively flowing or recently flowed out of company coffers or corporate customer accounts. In short, company counsel should, now more than ever, take a key role in both a company’s preparatory and remedial steps in light of this presumed “self-help” regime—where the government is neither able nor willing to swoop in to save the day in the aftermath of successful attacks.

Present Lay of the Land       

The tide of cyberattacks on corporate assets has increased on order of doubling or tripling yearly,[2] and attacks may actually be undercounted.[3] This year has already seen high-profile attacks and we are still in the first quarter: Princess Cruises and Holland America,[4] Mitsubishi Electric,[5] and Travelex[6] are just some of the companies that have suffered crippling attacks in the past couple of months. As commerce and nearly every industry has to varying extents shifted online, enterprising criminals and would-be criminals have followed suit.[7] Technology companies are not alone in moving infrastructure and assets online and into the cloud; non-technology companies are doing so at a fast clip as well.[8] The move is not limited to large companies; smaller enterprises can suffer from the same (or even worse) vulnerabilities in terms of type and method of attack as larger customers.[9] Enterprises of all sizes can be vulnerable to compromise of their systems and spearfishing (including “business e-mail compromise”) for both internal system and cloud-based system credentials, in addition to the laundry list of other attack methodologies (ransomware, falsified invoicing, spoofing, etc.).[10] In addition to these more generalized forms of attack to which all businesses can be vulnerable, there are technology company-specific vulnerabilities in products themselves – weaknesses in code or interfaces that can expose data to compromise and misappropriation by cyber attackers. Given the varied types of exposure and attack and their rapidly increasing frequency, it should come as no surprise that there are insufficient government resources to address the growing need.

The FBI is the natural first call for serious cyber criminality concerns, and has heavily promoted its focus on cyber.[11] The Bureau’s Cyber Division has agents at headquarters and field offices alike, and names intrusions as an investigatory priority.[12] But this investment, sizable as it may be, cannot possibly match the increase in attack complexity and frequency. And while the FBI manages the Internet Crime Complaint Center (IC3),[13] the online reporting tool to which complainants are directed, there is no guarantee of support or even timely response from reports lodged there. In the most recent yearly FBI Internet Crime Report, the Bureau revealed it received 351,936 complaints through IC3 with estimated losses of more than $2.7 billion, and the Recovery Asset Team has been busy—recovering hundreds of millions in assets yearly.[14] There are, however, simply not enough agents available to pursue cybercriminals at this scale or to guarantee that a typical IC3 report will lead to investigation and recovery. Given the pace of successful and attempted intrusions, companies and complainants cannot rely on FBI involvement when they are threatened or attacked by cybercriminals. And the time-sensitive nature of attack response further supports the need for planning without governmental support in the critical initial post-attack phase.

In California—the state with the largest number of cybercrime victims[15]—the Attorney General’s (Cal. AG) office might be the next place company counsel could go for assistance in pursuing cyber attackers, but it too suffers from particularly heavy current resource burdens given the California Consumer Privacy Act’s (CCPA) which went into effect January 1 of this year. The Cal. AG has an eCrime unit and a High Technology Theft and Apprehension Program, and it offers its own online reporting tool and the ability to search through reported breaches online.[16] The Cal. AG’s office, however, is also tasked with developing and executing on the CCPA’s new enforcement framework, a massive effort.[17] In addition to providing a private right of action against companies that have not used “reasonable security measures” to protect California residents’ personal information held by the company, the CCPA empowers the Cal. AG to levy fines in amounts ranging from $2500 to $7500 per violation for failure to comply. But the precise future enforcement landscape under the CCPA is largely unknown; actions cannot proceed until July 1 of 2020 at the earliest. Given the ambiguity surrounding enforcement mechanisms and the sizable focus on CCPA, the Cal. AG’s resources are likely spread very thin. Given the tremendous attention placed on the run-up to and early days of the new law, we can expect the office’s resources to be slanted toward CCPA enforcement while other efforts—such as pursuing cybercriminals or conducting remediation on behalf of organizations—necessarily take a backseat.

Obtaining governmental support for cyberattack responses is also difficult because of the threat’s global nature. The United States federal enforcement resources are not necessarily best-positioned to pursue cyber attackers in other countries, even where there are high-functioning diplomatic and information-sharing relationships with the relevant foreign governments. When seeking to recoup losses or pursue criminal enforcement internationally, corporate counsel should be particularly ready to address such issues alone, to the extent possible. This is particularly so given the federal government attention (and resourcing) given to the threat of cybercrime related to election interference.[18] Much of the federal resourcing on cyberattack response and election security has gone to the Department of Homeland Security (DHS), with a particular focus on protecting election-related databases from international threats.[19] Despite the long tail of election cycle coverage, and the consequent feeling that the 2020 elections have been underway for years, the highest risk period is of course still ahead. Corporate cybersecurity, by contrast, is unlikely to be as visible a federal international enforcement priority this year.

The current environment is thus one in which corporate counsel must be prepared both to prevent cyberattacks and respond to them without governmental support even if such support is desired.  There are also scenarios in which the government may be (from the corporate perspective) better kept at arm’s length. In the early stages of a large-scale cyberattack or intrusion, or in the early stages of detection and response, the facts and perpetrators may yet be unclear. If there is a suggestion of internal wrongdoing or failure, either in the form of intentional misconduct or accidental (or worse, reckless) failure to correct known vulnerabilities, a company may prefer to wholly manage its own response and investigation prior to engaging the government for support or working together closely with the government. Corporate counsel may need to know the contours of its internal actors’ activity first in order to assess risk to the enterprise. This scenario calls for a possibly complex internal investigation into the issue—a critical piece of response and analysis that may need to precede working with the government in a cybercrime context to avoid risk of negative government scrutiny turning towards the victim company itself.

Practical Tips for Preventing Successful Cyber-Attacks and Proactive Self-Help After an Attack

Prevention: Conduct Regular System Hygiene and Procure Cyber Insurance

Preparatory self-help should include counsel involvement in company technology “hygiene,” or regular evaluation and testing of vulnerable systems. This up-front effort can prevent or mitigate losses should an attack occur down the road. Consider advising a client that counsel should have a seat at the penetration testing table, or the comparable pressure-testing of company systems that enterprises should conduct regularly. The privilege implications of appropriately involving counsel early can also become important should a company later be involved in cyber breach-related litigation.  Company counsel should also consider advising on the wisdom of procuring cyberinsurance covering at least some response costs, and make sure qualified coverage counsel evaluates any policies under consideration. For technology companies (broadly construed), the counsel-advised testing for weaknesses should encompass not only the production or pre-production environment, but the development environment as well. Although prevention of successful business e-mail compromise or spear phishing attempts can be difficult especially in the case of a large or dispersed employee base, counsel should still ensure that widespread training on these issues occurs and is periodically tested to ensure its effectiveness. Preventative and preparatory testing and training can then be followed by table-top exercises, which should be increasing in complexity, just as cyberattacks have increased in complexity. Counsel should be involved in devising a series of exercises or a multifaceted single exercise designed to determine the internal and non-governmental external assistance a company might need or want to have available in the event of an intrusion.

Prevention: Implement Security-by-Design Rather than Layers of Bolt-on Security Products

One of the best ways to allay risks arising from inevitable cyber-attacks and cyber-crime may be to insist on incorporating technology platforms, products, and hardware that are “secure by design” rather than using bolt-on security products that, while covering flaws in legacy systems, inevitably still leave the company exposed to risk, especially from spear phishing.[20] Despite what may be extensive efforts to train employees on how to recognize and rebuff spear phishing attempts (and many trainings in this area will inevitably fall short), the increasing sophistication and constantly evolving nature of this threat means vulnerabilities will persist. It only takes one employee, however well-trained or well-meaning, clicking on a bad link or wiring out funds in response to a sophisticated-looking request to result in loss to the company. Secure by design systems can rebuff successful spear phishing attempts by recognizing and preventing improper access (for example through malware installation) even where mistakenly authorized as a result of deception. Implementing a secure by design approach may involve a substantial up-front expense to acquire and install security-tested systems such as Chromebooks or IOS devices, (especially helpful when provided for use by personnel with wire authority or access to sensitive or confidential data), but the payoff in rebuffing cyber intrusions and spear phishing alike can more than make up for the cost.

Prevention: Implement Two-Factor, Non-Audio Authentication Controls for External Wires

Even secure by design systems cannot prevent employees from wiring money outside the company in response to deception. Another critical method to prevent significant financial harms from inevitable spear-phishing attempts (in this case in the subcategory of business e-mail compromise) is to implement at least two levels of control and authentication gates for access to systems containing sensitive content, and particularly for authorizing the transfer or wiring funds. Unfortunately, simply requiring voice confirmation for wire requests or systems access authorizations may not be enough. Audio “deepfakes,” often used in service of nefarious conduct, are on the rise. The FTC conducted a workshop a short time ago on voice cloning and its devastating consequences on corporate and individual purses (among other harmful effects).[21] For larger wire transfers or access to especially sensitive systems, audio confirmation alone is no longer sufficiently secure. Instead, counsel should put in place controls requiring two-factor authentication and passcode-based gating in any instance in which sufficient levels of money is moving or system access is being granted, and should ensure clients are not relying on simple audio authentication at any corporate security checkpoint.

Remediation: In Cases of Spoofing, Use Administrative Takedown Tools

If an attacker is engaging in online spoofing or otherwise attempting to confuse users into believing the attacker is the company or a legitimate company site, traditional legal remedies such as trademark infringement litigation may be ineffectual due to the inability to easily identify and/or gain jurisdiction over the attacker.  In such cases, it may be possible to pursue takedown remedies with the attacker’s internet service provider (ISP) or host through the posted policies. Moreover, to the extent the attacker is using a URL confusingly similar to that of the victim company, an action under the Uniform Domain Name Dispute Resolution Policy (UDRP)[22] or Uniform Rapid Suspension System (URS),[23] specific processes governing domain name disputes in which all ISP’s participate) can provide some quick, though potentially temporary, relief. UDRP and URS actions are administrative in nature, and will result in the transfer (in the case of a successful UDRP action) or suspension (in the case of a successful URS action) of a domain name including the company’s trade name or another confusingly similar name to the victim company where such domain was registered and used in bad faith.[24] The relief is often temporary, though, as the attacker can quickly register another confusing domain, resulting in a potential endless game of whack-a-mole. That said, such actions make things more difficult for the offender, and can encourage perpetrators to move on to different, less vigilant targets.

Preparation and Remediation: Build an International Call List

Other types of preparatory self-help can ripen to in-the-moment self-help when a cyberattack or successful intrusion occurs. Specifically, counsel should be heavily involved in identifying in advance the technical and legal experts—internal or external—who will be needed to help in mitigating an intrusion’s immediate effects and investigating thereafter. This is not a new concept in cyber security, but the present self-help regime calls for counsel to help identify, in advance, expanded geographic and international resources to quickly help remediate cyber theft, and recover funds, throughout the country and the world. The expertise needed can encompass internal security engineers and experts in various jurisdictions throughout the company’s operations, forensic analysts, in-house and external investigators, financial partners and more. Critically, counsel should assist in developing a call-in-case-of-emergency list to include counsel dispersed throughout the globe, with varied outside law firm support that can pursue in-locality law enforcement activation or litigation where stolen funds can be located. Now more than ever, it may be necessary to identify and utilize competent local counsel who can activate law enforcement resources in other states or abroad in an effort to recover funds, or to pursue emergency litigation for the same purpose. Finally, even with a stellar resource list available, a company’s primary counsel (in-house or outside) should be prepared to personally direct litigation or liaise on enforcement action nationally and internationally, including hiring and communicating on the front lines with relevant advisors to preserve privilege. Today’s self-help framework almost certainly means litigation or asset recovery efforts will be driven by company counsel. Identifying and preparing the resources required for that effort in advance is critical to effectively responding to corporate cyberattacks in a world where a federal or state government safety net is far from guaranteed.