Cybersecurity Insights for Company Lawyers: Lessons Learned from the Latest Major Hacks
Cybersecurity Incidents in the News
Major cybersecurity incidents have been reported in the news for several years now. Back in 2014, media headlines informed us that Committee I, the Belgian permanent and independent review body responsible for reviewing the activities and functioning of the Belgian intelligence services, was affected by the “Heartbleed” vulnerability, a software bug in OpenSSL software that allowed information to be exfiltrated from certain websites. The issue got its 15 minutes of fame, and even its own logo.
Then there was the WannaCry ransomware attack that started in 2017 and trended heavily on social media. It was an unpleasant wake-up call for many organizations. We were further reminded of the brutal operational impact that such an attack can have when mainstream media informed us at length about last year’s hacks at Belgium-based companies Asco, a major supplier for the aerospace industry, and Picanol, mainly known as a leading weaving machine manufacturer.
A recent incident that deserves our attention is the cybersecurity attack on the SolarWinds supply chain, which forced many organizations worldwide to review their networks and take mitigation and remediation measures, including the immediate disconnecting or powering down of SolarWinds Orion products.
Since a few weeks ago, SolarWinds has the following Security Advisory on its website: “In order to help ensure the security of your environment, SolarWinds asks all customers to upgrade/update their software as soon as possible.” The Belgian federal Computer Emergency Response Team (CERT.be), the operational service of the Centre for Cyber Security Belgium, also published an alert on its website with the title: “Highly evasive attacker leverages SolarWinds Orion supply chain to compromise its customers.”
What does a company lawyer need to know about this attack? SolarWinds is a software company with many customers worldwide. Orion, one of its key products, allows organizations to monitor and manage their IT environment. Not a very visible piece of software for most users in an organization, but certainly something that IT professionals want to keep up-to-date.
However, although it is indeed good practice for IT professionals to keep software up-to-date, it was this best-in-class behavior that caused organizations to be affected by this hack.
In summary, SolarWinds’s Orion software was compromised with malicious software code, which entered the IT environment of a multitude of organizations via regularly scheduled and otherwise legitimate software updates, like a Trojan horse. While the breach was only detected on December 12, 2020, recent analysis shows that the threat actor had already accessed SolarWinds on September 4, 2019 and that the malicious software code, referred to as “SUNBURST,” was already compiled and deployed on February 20, 2020 and released to SolarWinds customers shortly thereafter.
Without entering into all the technical details of the attack, it is important to know that the compromised version of the SolarWinds Orion software could have given the attackers full access to the device that runs the software as well as to the information stored on it. And, not to be underestimated and as highlighted by CERT.be, it could also serve as a “jump-point” in your network to attack other devices and establish persistent “backdoor” access, even if the malware itself is removed.
Given the above, it is clear that a company lawyer needs to know whether his/her organization runs SolarWinds Orion software anywhere in the enterprise and, if so, whether the affected software versions have been installed.
And what if your organization does not use SolarWinds software? Unfortunately, that does not necessarily mean that you are out of the woods. First of all, because there are, without any doubt, many providers that store data for which you are responsible – such as cloud providers, payroll providers, etc. Secondly, information about this attack continues to develop and certain companies have already publicly stated that they were targeted despite not being enterprise users of SolarWinds products, so it is important to keep monitoring updates and to re-evaluate if further action is warranted.
Unfortunately, the cyberattack on SolarWinds and its customers is not the only cause of concern for a company lawyer. The risks related to ransomware attacks are significant, and a solid preparation for the “when” is key.
In short, a ransomware attack happens when a threat actor breaks into your IT infrastructure, uses sophisticated encryption software to make your data unavailable, and offers you the decryption key against the payment of a ransom.
According to a report of the Chamber Committee on Economics released in 2020, and picked up by the newspaper De Tijd, Belgian companies pay around 100 million euros each year to cybercriminals. Another interesting datapoint is that one third of the companies affected by ransomware does indeed pay the ransom.
Then we just make sure that we have decent back-ups, no? We simply lose a few hours of work and move on? Unfortunately, it is not that easy. The threat actor is most likely to threaten to make data public if you do not pay the ransom, which would cause an even bigger data breach.
Preparing for the worst…
Preparing for any crisis requires a crisis handbook. This is no different for cybersecurity incidents. An organization should know what to do, whom to call, how to act and how to react. As we might say: the battlefield is not the place to start exchanging business cards…
There are many things that can be decided in advance. How will you determine what happened? Whom will you contact for a forensic investigation? How will you determine the risk of what happened? Whom will you notify? How will you communicate? How will you coordinate internally, or with commercial partners? Make sure that your organization has a solid Cyberinsurance policy. Set up an Incident Response Team with stakeholders from Legal, IT/Security, Privacy/Data Protection, HR, Risk, Corporate Communication, etc.
But do not reinvent the wheel. There is guidance available from regulators, such as the European Data Protection Board, or you can rely on well-established sources such as the Computer Security Incident Handling Guide from NIST or the SANS Incident’s Handler’s Handbook.
And do not forget: no incident response plan is solid until it has been duly stress-tested. A decent cybersecurity fire drill, often referred to as a “tabletop exercise,” with a real cyber incident scenario and all the stakeholders of your Incident Response Team around the (virtual) table, has become more than just good practice.
Data breach notification
And “when” your organization becomes the victim of a cyberattack, you may want to consider submitting a complaint to the police. It would not only provide you with victim-related rights, but the police and criminal investigators have at their disposal more intrusive, and thus effective, methods to investigate and combat cybercrime than you do.
It is also recommended that you report the incident to the CERT.be and ask for advice or help. They have a broader overview of the national and international threat landscape and can help you save time in a time-sensitive crisis situation.
Apart from contractual obligations and sector-specific obligations (e.g., telecommunication providers, “essential” service providers, etc.), you should, of course, think about the organization’s notification and communication obligations under the GDPR.
As a reminder, controllers should notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals (so-called “data subjects”). Furthermore, when the personal data breach is likely to result in a high risk to the data subjects’ rights and freedoms, a communication should also be sent to them without undue delay.
While company lawyers play a leading role in the preparation for and the follow-up on cybersecurity incidents, they should not forget that cybersecurity is a team sport. Aligning with other departments is crucial, and ensuring cybersecurity awareness at all levels of the organization is one of an organization’s best defenses. It is often said that the biggest security risk sits behind the keyboard, and it is true that your employees will be better protected in their professional and personal life if they are aware of cybersecurity risks and how to avoid them.
Simple tricks like double-checking a sender’s email address or hovering over a link in an email to check whether it indeed leads to where it should, or checking on an online link’s destination in the bottom left corner of the browser window can, for example, help prevent phishing attacks. Campaigns on Safeonweb.be or Cert.be can be leveraged to create or enhanced awareness, and proactively informing internal stakeholders also helps to keep the cybersecurity discussion alive and serves as a reminder of a company lawyer’s role in it.
We will continue to keep on provide you with cybersecurity insights because, also for us, cybersecurity is a team sport.
More Partner Blogs
In 2019, the European Commission alone spent more than €3 billion on public procurement. The...
With a global environment characterised by regulatory change and a growing emphasis on...
As cybersecurity has become a boardroom topic, legal professionals need to be informed about the...
De vaccinatiestrategie is een hot topic deze dagen. Ook verschillende bedrijven denken na over een...
As the telework during the COVID-19 pandemic does not perfectly fit with the existing legal...