[This story previously appeared in Securities Regulation Daily.]
By Amy Leisinger, J.D.
In remarks at the U.S. Chamber of Commerce’s Third Annual Cybersecurity Summit today, Assistant Attorney General John Carlin highlighted the importance of preparation in responding to potential cyber incidents and of public and private cooperation to effectively prevent, mitigate the damage from, and answer these attacks. Applauding the Chamber’s commitment to encouraging proactive cyber risk management and reporting incidents to law enforcement, the official agreed in his remarks that cybersecurity issues affect us all and that the business world should not have to face threats or cope with the fallout of an attack alone.
Cybersecurity planning. Noting recent statistics showing that 97 percent of Fortune 500 companies have been hacked, Mr. Carlin cautioned that “it is a question of when, not if, a major public breach will happen.” Cybersecurity attacks threaten privacy and the vitality of the U.S. economy, he explained, and “disrupting them is our collective responsibility.” A threatened or attacked business will want to say that it did everything possible to protect the company, as well as its customers, employees, and shareholders, the official maintained, and to do this, cybersecurity must be considered as a crucial part of risk management. According to Mr. Carlin, corporate cyber risk management should involve four activities: (1) creation of a comprehensive and understandable cyber incident response plan; (2) evaluation of the potential threats posed by business contacts and other third parties and ensuring that vendors also adopt appropriate practices; (3) consideration of obtaining cyber insurance to provide additional protection; and (4) cooperation among the private sector, lawmakers and regulators, and law enforcement authorities.
Cooperation. As businesses develop cybersecurity response plans, Mr. Carlin noted that the federal government is committed to working with them to protect networks and to identify and stop perpetrators. “At the Department of Justice, this is among our top priorities,” he said. Further, the official continued, indictments and prosecutions, together with disruptions, will play a key role in order in deterring future attacks. “[W]e rely on cooperation from the private sector to bring many of these cases,” he said. In exchange, he stated, the government will provide data and support to aid in businesses’ private efforts to respond to and deter intrusions and will work to decrease the impediments to sharing information with the government, including antitrust issues and threats to proprietary information.
“[W]hen intrusions happen, consumers expect companies to respond promptly, acknowledge the intrusion publicly, and cooperate with law enforcement to mitigate the damage,” Mr. Carlin explained, and the government and the private sector working together will be increasingly necessary to respond to security threats.