Addressing Cyber Security in U.S. Business

CyberSecurityAll businesses face a wide range of threats, from economic to competitive to disruptive. Increasingly, businesses are focusing on cyber security threats and the question they all face: What can we do to protect ourselves?

U.S. Defense Secretary Ashton Carter spoke recently at Stanford University, where he argued “to reconstruct the collaboration between the academic world, industry and government that existed in World War II and the Cold War but appears to have died out in recent years,” according to the Washington Post.

It’s a risk the U.S. government takes seriously. In the discussion, Sec. Carter linked the cyber security risks to business with an overall risk to the United States. The Stanford News reports that Carter “warned cybercriminals that Washington considers a cyberattack against the homeland or American businesses and citizens like any other threat to national security.”

Said Carter: “Adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary. And when we do take action – defensive or otherwise, conventionally or in cyberspace – we operate under rules of engagement that comply with domestic and international law.”

What can U.S. businesses do to reduce their cyber security risks?

Debevoise & Plimpton’s Jeffrey Cunard, who leads the firm’s corporate intellectual property, information technology and e-commerce practices, and James Pastore, Counsel and a member of the firm’s Cybersecurity & Data Privacy practice and Intellectual Property Litigation Group, recently wrote a piece publishes in the Private Equity Growth Council titled “Cybersecurity: Reducing Threats to Private Equity Firms and Their Portfolio Companies.”

They wrote: “We call the basic cybersecurity starting point ‘KYA2’: ‘Know Your Assets’ and ‘Know Your Architecture.’ Identifying what you have (assets) and where you keep those assets (architecture) are fundamental when it comes to cybersecurity.

“Under the heading of ‘Know Your Assets,’ the task is to catalog what sort of data the firm collects from all its various constituents and counterparties, from limited partners (LPs) to employees to vendors to acquisition targets to portfolio companies.”

“Under the heading of “Know Your Architecture,” the task is to document where exactly the firm stores this sensitive information (e.g., internally, off-site, with a third-party cloud provider, using an application services provider); what measures are taken to protect the data (e.g., encryption of particularly sensitive information); whether the network is “segmented” so that an intruder who gets in the front door does not have the run of the whole house; whether especially sensitive data is segregated in a particular storage location as opposed to (for instance) being combined for convenience with other data on a computer server that has unused storage space; who has access to different types of data and by what means; and whether stale files are periodically purged.”

In fact, the U.S. government is increasing its cyber security watch — and its requirements on U.S. businesses to protect assets. On April 1, President Obama issued Executive Order (E.O.) 13694, which allows “authorizing new blocking sanctions (asset freezes) against persons that engage in certain significant and malicious cyber-enabled activities that threaten the United States,” according to Debevoise.

Following this Executive Order, Debevoise wrote, “Until now, the U.S. government has focused principally on the need for banks and other financial services companies to have robust sanctions programs. This FAQ appears to be the first time that U.S. authorities have expressly voiced an expectation that technology companies should develop and implement sanctions-specific compliance regimes. It may be prudent for technology companies to review their sanctions-related risks and consider enhancing their compliance programs accordingly. “