At the end of April, both the Securities & Exchange Commission (SEC) and the Department of Justice (DOJ) announced new guidance for companies on how to respond to cyber incidents and attacks.
Department of Justice’s Best Practices for Victim Response and Reporting of Cyber Incidents
On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices. The document was announced at an invitation-only roundtable hosted by the DOJ and provides guidance on what the DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.” The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity incidents. In the document, the Cybersecurity Unit explained that they produced these “best practices” with smaller companies in mind, but that organizations of all sizes, even those with experience in handling cyber incidents, should consider them for their practical benefit.
The guidance is split into four primary sections: (1) Steps to Take Before a Cyber Intrusion or Attack Occurs; (2) Responding to a Computer Intrusion: Executing Your Incident Response Plan; (3) What Not to Do Following a Cyber Incident; and (4) After a Computer Incident. In addition, the document contains a “cyber incident preparedness checklist” that is also split into before, during, and after a cyber-attack or intrusion.
Each section has several subsections containing more detailed guidance. For instance, prior to an incident, the DOJ recommends that companies perform a risk assessment to identify critical services, assets, and data in order to prioritize their protection efforts. The DOJ points to the NIST Cybersecurity Framework as “excellent guidance on risk management planning and policies” and states that it “merits consideration.” The DOJ also recommends that companies have an actionable response plan in place prior to an incident, provides minimum criteria for such plans, and emphasizes that employees responsible for executing the plan must have access to and be familiar with it via training and exercises. Other recommendations for “before an incident” include having appropriate technology and services in place, having appropriate authorization in place to permit network monitoring, ensuring that legal counsel is familiar with technology and cyber incident management, ensuring that organizational policies align with incident response plans, engaging with law enforcement prior to a security incident, and establishing relationships with information-sharing organizations.
The guidance also emphasizes that companies should not “hack back” against network intruders, as this type of retaliation can violate U.S. laws such as the Computer Fraud and Abuse Act, as well as international laws. The risk of breaking the law by hacking back is exacerbated by the fact that many attacks are launched by bad actors from machines that they do not actually own. Indeed, citing a frequent lack of in-house counsel’s familiarity with the laws associated with hacking back, Assistant Attorney General Leslie R. Caldwell noted at the roundtable that the DOJ had already scheduled “an initial discussion with in-house attorneys who work in a vital sector of our critical infrastructure” to “help them better prepare” on this topic.
In announcing the new document, Caldwell noted that it was part of the Cybersecurity Unit’s ongoing mission to “actively engag[e] with the private sector and the public to address legal challenges related to cybersecurity.” She also pointed to the need for a “strong partnership with you in the private sector” in order to more effectively fight cybercrime. Throughout the roundtable discussion, law enforcement officials also repeatedly emphasized their desire to cooperate with and receive cooperation from the private sector, as well as their intention to treat companies that experience a cyber intrusion as victims rather than subjects or targets of a criminal investigation.
Caldwell noted several collaborative efforts between the public and private sector in her speech on May 14, 2015, at the American Bar Association’s 25th Annual National Institute on Health Care Fraud. Aside from the industry roundtable and the released guidance, the Cybersecurity Unit is also participating with other U.S. government agencies and private companies in cyber incident response simulations in order to enhance their response capabilities. Additionally, the Unit is working with corporate counsel from various industries to address legal issues surrounding network defense and the response to cyber breaches. In her speech, Caldwell encouraged companies to come forward, report cyber breaches, and work with law enforcement in responding to them.
Throughout the roundtable and her recent speech, Caldwell emphasized that the document would be updated over time as a living document and that CCIPS would continue to issue legal guidance to the private sector.
SEC Investment Management Division Cybersecurity Guidance
In its April newsletter, the SEC’s Division of Investment Management released a Guidance Update highlighting the importance of cybersecurity to registered investment companies and registered investment advisers.
The guidance discusses several measures that funds and advisers may take in addressing cybersecurity risk. The suggested measures include periodic assessment of the nature and sensitivity of information, creation of a prevention and response strategy to cybsersecurity threats, and implementation of a strategy through written policies and trainings to officers and employees.
In the staff’s view, funds and advisers should “identify their respective compliance obligations under the federal securities laws” and consider these obligations “when assessing their ability to prevent, detect and respond to cyber attacks.” The guidance also reminds funds and advisers that exposure to any compliance risk associated with cyber threats may be mitigated through compliance procedures reasonably designed to prevent violations of the federal securities laws. Because funds and advisers have varied operations and rely on a number of service providers, they should tailor their compliance programs based on the nature of their business and assess whether protective cybersecurity measures are in place at the relevant providers.