National Security and Technology Conversations: Episode 3
Episode 729th July 2024 • CRA Sessions Podcast • Charles River Associates
00:00:00 01:06:06

Share Episode

Transcripts

CRA Sessions Podcast

National Security and Technology Conversations: Episode 3

The opinions expressed are those of the author and do not necessarily reflect the views of Charles River Associates, its clients, or any of its or their respective affiliates. This podcast is for general information purposes and is not intended to be and should not be taken as legal advice.

Waqas Shahid, Vice President, Charles River Associates

Hello and welcome to the CRA National Security and Technology Conversations podcast. My name is Waqas Shahid, your host for this series. I am a Vice President in the Forensic Services Practice at Charles River Associates, where we help companies comply with complex national security legal and regulatory compliance requirements, including in the areas of export controls, sanctions, and national security-related cybersecurity compliance. When things go wrong, we also help companies investigate, respond to, and remediate alleged non-compliance in these areas.

In today's episode, we will be discussing and exploring key developments related to cyber breach notifications.

Joining me for today's conversation is Andrew Pak. Andrew is a senior counsel with Perkins Cooley based in Los Angeles. He counseled clients on cybersecurity, data protection risks, compliance, and litigation matters. Andrew is a former federal prosecutor with the Department of Justice and a cybercrime coordinator for the US Attorney's Office for the District of New Jersey, where he litigated malicious hacking cases and fraud related matters.

He also served as a senior trial counsel at the DOJ, Computer Crime and Intellectual Property Chips section. Andrew was also In-House Cybersecurity Counsel at a major financial company, and that's where we first connected. So, Andrew is a former client and it's great to have him on the podcast.

Welcome, Andrew.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Terrific will cause great to be here and thank you for having me and it's been it's been a while since we first connected, but I I'll never forget now how it started and it was definitely an interesting matter that we got to work on together.

So great to see you again.

Waqas Shahid, Vice President, Charles River Associates

Yeah. Great. Great to have you. Yeah, and it certainly was an interesting matter.

One of the more novel breach responses that I've been involved with, you know, it's not every day that you get to look at and review source code as part of a breach notification, so that was certainly very exciting.

So before we launch into sort of the meat of today's podcast episode and talking about the recent developments that are critical in this space, which no doubt you've been dealing with the on the front lines. I wanted to start off by just doing some warmup questions. So first tell me a little bit about yourself.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Sure.

Waqas Shahid, Vice President, Charles River Associates

Where did you grow up?

How did you get to where you are now?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah. I was born and raised in in Queens, in New York City. I most of my formative years were in New York before, before college.

One thing for me that was sort of significant through high school was that I was big into high school debate, this was took up a lot of my time and it was something I spent a lot of sort of energy on during that time and kind of where I realized it was in the cards for me to probably be a lawyer as sort of down the road. Then I went to the other side of the country for college. I went to UCLA and I had a very varied experiences out in LA, you know, some educational, some not. But I spent a decent amount of time out here and then I sort of fell into the tech side of things, and it was actually working, I dropped out for a little bit and was working sort of on the tech side for an Internet encoding company. Which is interesting, and I learned a lot there, but then decided to go kind of back to my roots and go to law school. So I went back to New York for law school and yeah from then on I did the normal kind of law school thing, well, not normal. There's a couple of different paths, but you know I summered I got a job at a firm. It did that for a few years at a larger firm at Debevoise & Plimpton LLP, and then spent a few years at a great litigation boutique, Friedman Kaplan Seiler & Adelman LLP, before I went to the US Attorney's office to become a federal prosecutor and this is kind of, you know, this is sort of where I started getting into cyber because prior to my experience at the office, I had a background in technology. I did some coding in college. I was doing some tech adjacent work during those years as well. But I didn't really know anything about cyber security, just as far as current events, just wasn't really aware of what was happening in that space. And this was like, you know, and I graduated in ‘06, so around ’07 ’08 ’09, that time period is before a lot of the big breaches surely came out. And then when I started, the US Attorney's office, the one of my colleagues and my former colleague, or Erez Liebermann, there actually was he was. He was in charge of the sort of chip, the computer crime section within our office, and I actually remember he interviewed me and looked at my resume and it's like, oh, well, you probably wanna do, you know, cybercrimes. And what kind of cybercrimes are they?

I'm not even sure what like what is it that you're dealing with? And like I say, I really didn't at the time know a good sense of what the world of like hacking look like in dark markets and all of that. Very quickly I sort of realized what was out there and because I did have a tech background was looped into a lot of things early at the office is even things as sort of mundane as like updating how we describe technology and our affidavits for search warrants and then focused really heavily on cybercrime prosecutions and the cases that we prosecuted when I was in New Jersey were primarily Eastern European hackers or the sort of ecosystem of, you know, dark markets and sort of other services around such hacking activity. Now is there for about 6 years and then went down to DC where I went to CCIPS computer crime intellectual property section for DOJ. Where did more of the same in terms of handled prosecutions with various other districts or sometimes litigating sort of privacy issues.

It was over that course of my ears at DOJ that I was able to sort of learn some of the cyber side of it, at least seeing what the bad people were doing, right. What the criminals were doing, how they were making money off of it, and sort of nuances around the law around that and then actually one of the interesting things about that role is a lot of times we would arrest hackers that would be traveling. So let's say we had a hacker in Russia or Ukraine, you know, both countries where there was significant talent at the time and now as well and where we did not have extradition treaties with those countries. So you'd have to arrest them if they were traveling somewhere else.

And so we had a lot of times where we would and you know the interesting thing about those defendants is that there's this notion of cooperation that we have in the United States and that under the criminal justice system where there are times where if you're arrested for something and you have useful information about your crime, but more importantly about other people's criminal activity that can be used by the government. There can be incentives to do that. On some level you don't want to exercise that discretion too much because obviously people who are out there committing crimes, you want them to have, you want there to be a just punishment at the end of the day.

But you know when you're dealing with countries like, you know where you we don't have legal process like as a prosecutor, I couldn't subpoena bank in Russia. It had a lot of dead ends. And so it tends to be a good opportunity to sit down and maybe pursue that.

So I had the good fortune of being able to do a lot of interviews with different defendants and different contexts along those lines as well to get a sense as to what you know, at least on the criminal side, is happening as it related to cyber security.

I left when we kind of ran out of money and I had to go at to leave the government, I went to as you know, a financial institution, where we met. There I got to do kind of the other side of it right. This is a prosecutor would send out legal process, we would talk to victims, we'd get information. But you're not really seeing the tech side, right?

Waqas Shahid, Vice President, Charles River Associates

Yeah, absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And which is a very complicated side. We over, you know, the way the way you think about it when you're not in that space is, necessarily an oversimplification of sort of the way that it all works. So I had the chance in house to really be able to see that side of it and to work with folks within our infosec stack. And you know what I wanted to do in connection with that.

So when I left the government, I got my CIPP which is, you know, meaningless in the hands of me. It means something in the hands of others potentially, but you know, big part of that was really to have that shared knowledge base and nomenclature so that I could. Then you know have the conversations without there being, you know, a guessing game as to what people are saying with the folks within our information security function, whether it be incident response or just the more generically on cyber security. And from there I would say just over the years working on various different matters, whether they were reactive or proactive, I find myself looking up. And I'm like, wow, I'm pretty entrenched in this in this sort of area. I guess cybersecurity, more law.

Waqas Shahid, Vice President, Charles River Associates

Yeah. And you know, it's funny.

I've known you for a few years now and I did not.

You know, I guess I didn't read your bio closely enough.

I didn't realize you had dropped out of college at some point to pursue your tech dreams, but I mean, are you really even a techie?

If you haven't dropped out of college at some point, right?

Andrew Pak, Senior Counsel, Perkins Coie LLP

That's right, it was.

It was while it was pursuing my tech dreams.

Not because I'll tell you.

I was, you know, this is the time in my life when I was, like, learning the lessons of, like, opening my mail every day, which I did not, which I did not enter college with that skill set.

It was nice to, I guess nowadays a lot of kids are doing like, gap years and things like that. So I didn't have that. I went straight to college after high school. But I did have a few gap once I got in because but it you know it's a good it's you know so much and you see this actually in in our field right in cyber security a lot where. You know, sort of the book learning right, the curriculums and all of that it's useful but you know you really kind of have to I think roll up your sleeves and get into the work because all of this is new you know there are things that are old hat now there are things that we're used to seeing but like every day there's gonna be something new right.

Because it's a technology changes and the attacks change or you have to sort of adjust and so you know it's a lot of real experience I think has been helpful in this space you know more so than in others right?

Because if I was a tax attorney, you know, and you know the story probably would have been different than. Oh yeah, this was interesting. It was sort of got into it right because there's so much cut and dried there.

Waqas Shahid, Vice President, Charles River Associates

Oh yeah. Absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

But you know we're, I guess we're getting to that point, right. Kids in law school now, there may be a lot more sort of materials, guidance and doctrine for them to engage with.

Waqas Shahid, Vice President, Charles River Associates

Yeah, I mean, I did computer science as my undergrad major, but you're absolutely right.

I mean, I didn't really learn how to be a programmer, a useful programmer, at least in, and certainly not about security until after I started working in real tech jobs.

So certainly appreciate that point.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah.

Waqas Shahid, Vice President, Charles River Associates

So one last warm up question before we launch into the beat, what are you reading? What's on your reading list this summer?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah. So right now I'm in the middle, but I've I haven't picked this up since the last time I was away, but I'm like halfway through and I'm gonna finish it during the July 4th week ideally, but is the three body problem?

Waqas Shahid, Vice President, Charles River Associates

Ohh man that is it.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah.

Waqas Shahid, Vice President, Charles River Associates

That is a treat.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, I watched the entire Netflix series, you know, very similar and very different from the book in a lot of ways.

But yeah, the book is, you know, so far it's been great and it's a really, really, really interesting.

I was a big science fiction fan when I was younger, and it's just such a different take on a lot of what you're used to seeing.

And yeah, I'm really enjoying it.

Waqas Shahid, Vice President, Charles River Associates

Absolutely. It was really intense.

I the first time I read it, I mean I, you know, I heard, of course, about the Cultural Revolution.

I just had never realized how, what it actually was and it was mine.

Waqas Shahid, Vice President, Charles River Associates

Mine bending in eye, opening to learn about that through a science fiction book.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, that's a cool thing. The sort of global world we live in. It's nice to be able to not wait a few decades to be able to read contemporary work from contemporary authors, right, from completely different cultures and one of the things I like about that is being able, you know is the fact that you're trying to understand someone from a from a more different perspective. I would say than maybe an American author and even that exercise alone is fun.

Waqas Shahid, Vice President, Charles River Associates

Yeah, absolutely. Alright, so with that, let's talk about cybersecurity, specifically breach notification.

So as you know and it's not news to you or surprised to anyone that works in this area that cyber security and specifically risks associated by breaches by state actors or persistent threats has been top of mind for a variety of regulators, federal government regulators for a long time now. And for years, the federal government has been prioritizing cybersecurity infrastructure and compliance within the government, but also trying to get the entire US economy up to speed on cybersecurity, hygiene, and practices.

So today I want to specifically talk about two recent or upcoming developments that I think are very impactful for large swaths of the US economy and specifically the rule by the Securities and Exchange Commission related to breach notifications as well as the advanced notice of proposed rulemaking that the Department of Homeland Security, set forth related to critical infrastructure. So with that, I mean, let's just start with the SEC. Can you give us a little primer on what the SEC rule is, what it requires, when it went into effect, et cetera?

Andrew Pak, Senior Counsel, Perkins Coie LLP

th,:

My public company, that's not something that I that I'm free to just not report as a public entity since it's a material effect I have to report on it. And so that rubric, that framework has been around for a very long time. The new rule with the new rule does is it's very clear that so here are the ground rules for how you report material things that are cybersecurity incidents. And if it wasn't clear before, oh, by the way, you have an explicit requirement to report material cyber security incidents. So, it's important to understand that this is not, you know this is, what they're doing is they're taking these cyber security incidents and putting a framework around it that already exists around reporting for public entities, right.

So a public entity is already gonna have, for example, likely lawyers, whether it's from the outside or internally that have to approve language or determine whether things need to be disclosed in public reporting documents already. And so now what is clear is that cybersecurity incidents need to be included in that, and the reporting requirement specifically, it's a four-day requirement. Material events have to be reported in companies 8K item 1.05 and they need to be material and I know we were gonna talk a little bit about some recent clarifications on that and I'll get to that in a second.

But I do wanna just take a take a take a step back and talk about materiality because I think as we get to the scissor rule, well, we can see some differences between how they sort of operate. The thing about the SEC rule that's interesting is that you know, if you and I, Waqas, think about when you're dealing with an incident like what are the metrics that we look at to determine whether it's something that we're gonna have to talk to people about.

And I know there's a lot of specifics for different organizations and regular regulatory requirements depending on what industry you're putting all that aside, we look to things like what is the amount of data that was accessed? What is the level of disruption that occurred? What is the total amount of accounts you? Is there something that is a secret sauce for the organization's sort of out there is a secret formula for Coca-Cola out there? Things like that in terms of how you might rate a particular incident and if you look at a lot of regulatory requirements outside of the SEC rule, you see hints of that, right, like let's take a look at data breach laws.

You know, they they're specific data elements that need to be triggered in order for you to have a notice requirement and then for some laws, if you have to notify a regulator, it's only if a threshold amount of data is taken or something to that effect, right?

You see these sort of quantitative measures that you can use as determine whether you're dealing with something significant enough that you have to tell somebody about it.

And the thing about the SEC rule, that's a little bit different is that they use a standard of materiality. Now materiality as you know, Waqas, I know you're an attorney. It's not a standard they came up with for this rule, right? Materiality is a standard that has exist as long as securities fraud litigation as exist, right existed, you know it's the definition is essentially if it's a piece of information that a reasonable investor would want to know about before making their investment, arguably material.

Waqas Shahid, Vice President, Charles River Associates

Absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So let me give you an example of what I'm trying to get at where I think this rule can cause issues.

Let's say you have an incident.

Let's see if a server has test data on it.

You know a hacker gets in steels test data.

There's nothing. There are no credentials in the test data, no personal information, nothing that would normally trigger, sort of a reporting requirement for a lot of you know, other regulation.

OK, so you breathe. Sigh of relief that that the incident was sort of minimal in that respect.

Well, let's say that in the company's public statements, you know whether it be in SEC disclosures or otherwise in marketing materials.

There’s a lot of self-touting around the cybersecurity posture that they have, you know, industry standards, right, Meeting exceed industry standards, do all these things and you know, maybe they say MFA, maybe they don't, but maybe that's implied.

But in this incident, you realize that there was number MFA on this server that it should have been implemented, but you realize that there was a whole segment of your network that you thought that there was a mix up.

And believe me, this kind of stuff does happen.

Would have been covered by the rollout, but it wasn't right.

And so now you know that there were huge parts of your network that didn't have MFA.

And you also know that you're logging only goes back, what, 30 days? 15 days? And this has been the state of affairs for a couple of years now.

Waqas Shahid, Vice President, Charles River Associates

If you're lucky.

Andrew Pak, Senior Counsel, Perkins Coie LLP

If you're lucky, if you're lucky.

Right now we don't have any more information like I've set this up so that you don't have much information about what had happened other than that test data was taken.

You don't have the logging to go back further enough to know whether the fact that you didn't have these controls in place hurt you in some other way.

Waqas Shahid, Vice President, Charles River Associates

Sure.

Andrew Pak, Senior Counsel, Perkins Coie LLP

You’ve made representations that arguably suggest you do apply MFA across your network, or even if you're not set it explicitly.

Maybe somebody can interpret some of the things that you said in your statements.

Do you have a material incident?

Is that a fact that somebody who wants to assess whether they wanna invest in your company would consider relevant to their investment decision?

Now I know that reasonable minds differ on this, but that's sort of the point I'm making right, like whether or not you make the argument that this is absolutely not material, there's no significant data taken.

We don't have evidence of a prior. You know, someone actually leveraging this earlier, even though we don't have evidence one way or the other, I think that's reasonable. I also think it's reasonable and what's more important is what judges are gonna think right when they hear an allegation from regulator, a plaintiff to say that, look, the investor in this case wants a secure company, right? Wants the company with cyber security.

Waqas Shahid, Vice President, Charles River Associates

Sure.

Andrew Pak, Senior Counsel, Perkins Coie LLP

They have all these statements about all the controls they use.

We have this big incident where we find out that all those controls weren't in place for five years, right, let's say, and even if we don't have a smoking gun where we can say X amount of data was taken, you know, is that a material misrepresentation, right?

The other statements that have been made, the company has been making about their security when they realize that, oops, it's not as good as we thought it was.

Waqas Shahid, Vice President, Charles River Associates

Yeah.

Andrew Pak, Senior Counsel, Perkins Coie LLP

You know, it's a gray area and the problem with gray area is when we deal with the law is that, you know, a lot of times, if it's seen as a gray area, but the judge would ultimately may happen is that it's a question of fact for a jury and if it's a question of fact for a jury, you're already where you don't wanna be if you're the company who had the incident so, so that's where materiality can be difficult.

There’s been a recent two statements actually issued by the director of the Division of Corporation Finance from the SEC, Erik Gerding about materiality. And I think it has to do with how sticky this all becomes.

So in May and and more recently, just a few days ago, there were statements put out basically saying, you know what, what you need to do if you have a material incident, you need to determine whether it's material and if you decide that it's material, you need to put it in the place we told you to item 1.05 in form 8K.

What you shouldn't be doing is you shouldn't be disclosing an incident in that area where material things should be disclosed and say that it's not material. The way this came up was in December. You know the rule came in the effect.

They were obviously breaches that occurred following, you December and companies were filling their requirements.

They were trying to sort of walk both sides of the line.

What they would do is they would put in a description of an incident that occurred in item 1.05, but they're saying we don't believe it's material.

We don't think it's material or we haven't made a materiality determination, but we're putting this in the mix so that you're aware of it one way or the other.

And the SEC has come out and said you can do that, but you don't do that by putting that in item 1.05 the place where people are looking to look for your material events.

There are other places you can disclose that, but it's gonna create a lot of agita for a company that has to make that decision.

Waqas Shahid, Vice President, Charles River Associates

As practitioners both you know lawyers and techies and advisors. I have a great deal of sympathy for companies going through this process, right?

I mean, as you and I both know, when a breach occurs or when a cyber incident occurs, it is very difficult and certainly difficult within the timelines that I understand the SEC requires, you know, certain notifications to make a determination whether or not there is, you know whether you've lost the crown jewels or whether you've lost, you know, the kickball league schedule, right.

And it may not be apparent for even months whether the threat was limited or whether you know a lot of different things are compromised, or whether there's certainly something left behind.

And of course, you know, companies like mine try and help clients get to the bottom of that truth.

But that can take some time.

So how are you advising companies to proceed on this front? I completely understand that the SEC doesn't wanna get spammed with non-material.

You know, nonmaterial incidents in in sections where they wanna focus on material incidents, but what do you do in cyber where that's often not apparent and can change day to day whether you know what, what the actual exposure may have been?

Andrew Pak, Senior Counsel, Perkins Coie LLP

So couple of things.

So first just to keep in mind and in case I didn't mention it before, it's a four day requirement from when you make that materiality decision right?

I forget the exact wording, but reasonably basically you can't waste time in making the materiality decision.

So when you're when you have an incident on your hands, the timeline to determine whether or not you have a material incident is a little bit. If you think about how these things actually work is there's some flexibility there in the sense that you might hear of an event and it may be a while a couple of days before you hear enough about that event with the organization knows enough about that event to even consider that might be material, right?

And you know at that point there, there may there may not be enough, there may be information that suggests it is in fact much smaller than it actually is.

And so there in those situations, let's say it's pretty black and white.

You either have a material event or you don't, but those are the easy cases, right?

You sometimes have harder cases where the organization was looking at a an incident, trying to assess its materiality.

There may be differing views on that within the organization, maybe between them and their counsel, maybe between within the legal department just trying to figure it out.

And so the, I think the instinct is to say, well, let's kind of let's take a compromise approach.

Let's say we don't think it's material, but here it is anyway, that's something you can't do anymore.

What I would say and advising companies in sort of making that decision now is you gotta make it and you gotta own it.

I mean, there's a lot of, there is a lot of risk, I would say with on both ends for sort of just you know not making a call that you can live with. Now if you have a close call, if you have an incident that's a close call and I can't maybe I can think of an example as we go, but if you have an incident that's a close call, and you end up making the decision to disclose it voluntarily through some of the other reporting tools that you have as a covered entity, but not in section 1.05.

I mean, I think it's really important that you be able to justify that decision down the road and you have some way, you know, underprivileged, presumably to memorialize that so that you have a basis as to what your thought process was and that's gonna matter because I think if you took a set of regulators on this issue, I think if you took a set of people that work at financial institutions or other covered entities that deal with this issue, you're gonna have just differences of opinion as to on the fringes as to whether or not something counts as material or not.

And so now you can't just push it all out there.

You gotta have to have a record that you can then go back to explain why it is you fell on one side of that versus the other.

The rest is, the rest is really kind of risk appetite and risk tolerance for the organization and what you can say about that risk given the specifics of the of the incident.

Waqas Shahid, Vice President, Charles River Associates

One take away from me is if you're a public company subject to the SEC rules. I think it goes back to if you remember the old NBC slogan, the more you know, right? I think it's very important that as you pointed out that companies not sit on a breeze or try and just wing it.

I think the more you know, the faster you know by engaging council and by engaging forensic services to really get to the bottom of what happened and what the exposure is, the better you are situated to make these determinations and the very, very tight time frames that are that are contemplated.

Andrew Pak, Senior Counsel, Perkins Coie LLP

nna hit you back with another:

Waqas Shahid, Vice President, Charles River Associates

That's right.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Because I mean, and I think that's right, you have to you have to do everything that you can to know.

But, but you know, you have to do all these things to make sure that as an entity, the right people know.

So let me give you an example.

Like, if you're listening to this and you are, you are in the field of dealing with securities disclosures for your organization.

Or alternatively, if you are, you know dealing with cyber security incidents, ask yourselves in the last five years when there was an incident, how often you spoke to you're a securities lawyer to the incident folks and vice versa, probably not that much because for the most part there wouldn't be overlap. Now there is, right. So now you can take you know a tier one potential incident cyber security event that triggers a incident plans with up and down the infosec function. deal with it, they address it, they have their playbook, their protocols. They've determined the they've remediated the issues, they've determined whether there was personal information and whether data breach notifications need to be met.

All of that is done if all of that.

If it's not a huge incident, let's say it's not a huge incident, doesn't turn out to be a huge incident.

If all of that is done, but there wasn't a point where somebody had to make sure that A) To reach out with the Securities attorney on this issue or B) To even determine whether they should reach out, then that's where you're gonna have a problem, because there will be plenty of incidents that those attorneys didn't need to see or hear about.

But then there are gonna be those ones that they did.

And if they're in some way, as a securities attorney, you're gonna have to hear about more incidents and you disclose on because if the only time it gets to you, you're already like, yeah, it's 100% clear.

It's a material incident, then probably you're missing some.

Waqas Shahid, Vice President, Charles River Associates

Yeah, absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So that's what that's one part of it. The other part of it is this really difficult.

Like before we get before the SEC rule was in place.

You know, you had a lot of disconnects or you know, I guess, like working pains between the legal side and the technical side when you dealt with incident response is oftentimes you've got the lawyers just kind of looking at what the particular trigger requirements are for data breach notification statute.

You know, and it's a pretty road.

You don't have to understand the technology that much.

Your technical team can tell you what you need to know about that, but even then there's sometimes these disconnects that happen between people because they’re talking past each other.

This is gonna be much worse, right?

The beginnings of dealing with this rule in a lot of larger organizations that already have built out functions that deal with 10 queue K, all the various SEC reporting, the language requirements and the incident response function including, you know, the legal aspects of that. There has to be a really deep understanding for a particular incident, not only what is happening technically, but what the import of is of that. Like you know, I can't tell you how many times you see a forensic report that has language in there that lawyers will rely on for various decision

You know, was there data stolen or not? Where you don't get the whole picture and that may be OK in some contexts, but it's not gonna be OK in this context because the concept of materiality requires you to think about the whole picture, right?

Like you may have an incident that comes across your desk now that is immaterial, but it may be tied to 50 other incidents that were also immaterial on their own.

But together they show that there's a much bigger problem and you need to be aware of that.

So finding a way to plug that function, that's security disclosure function in with the incident response function I think is gonna be a very big challenge.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And even the right people are in the right rooms, just making sure they understand each other also a big challenge now.

Waqas Shahid, Vice President, Charles River Associates

We’ve both worked in-house and so it may be clear to us that this is you know as much as this is a legal issue, this is an operational challenge, right?

Just as you pointed out, getting IT, getting information security and getting its legal department to talk to each other in a structured way to make this effective is a challenge all in and of itself, right?

It has nothing to do with the with the legal requirements.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Ohh yeah.

Waqas Shahid, Vice President, Charles River Associates

It's just an operational challenge that that you have to face, so.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Ohh, and now that you know those operational documents will probably have words that made sense to use like material, right?

Waqas Shahid, Vice President, Charles River Associates

Yep.

Andrew Pak, Senior Counsel, Perkins Coie LLP

If you look at any alert tiering matrix, right, they're gonna have either the word significant reputational or material somewhere in there, right.

And now that term is always had legal meaning outside of it.

But in this context, we kind of knew would just mean like, serious, right?

It has a much more significant context that a person in your organization cannot make that call, so even going back to those operational documents and making sure you don't have those, you know it's only capital materiality and it's only the lawyers job then like we're not maybe not only the lawyers job, but you know just sort of teeing it up as a thing separate and apart from the use of normal natural language in your operational documents is itself like a chore that needs to get done now.

Waqas Shahid, Vice President, Charles River Associates

When I was in IT and software development material to your point a material bug or material incident was nomenclature that we use.

We threw material out pretty frequently to mean something that, you know, is either disruptive to the business operations or you know at some other large impact.

But to your point, so total different meeting now and I think certainly the company needs to sync up on what they call the material and what they don't.

OK, alright.

So moving on from this, I understand that just before we go into and as a segue into our second topic, I understand there are some exceptions to this reporting requirement and one of them interestingly is, as I recall has to do with national security.

Can you give us a very brief outline of what those are? Then we'll move on to the second topic.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, I'll keep it very brief and I'll just say don't get your hopes up on the exception.

So you know if the attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing, then you can have a delay.

And that's sort of the way the rule is set up, the way it's going to operate because DOJ and FBI have put out guidance, is that if you have a situation like this, you should reach out to the FBI or one of the other agencies.

For example, if you're working with the Secret Service, you can reach out to them as well, and they're not really going to consider you for this if there's any amount of delay between when you determine that you had something material and when you reached out to them because they wanna sort out like all the game, like all the gaming, you know, people gaming the system.

That's not gonna fly.

And you know, my sense is that if you fall within this category, you'd be aware of it before you even had a chance to have to really analyze it legally.

Because I do think it'll be those rare situations where maybe there's some mass attacks spreading through some common source and reporting it publicly is gonna prevent law enforcement who is already acting on it.

You know from doing certain tasks that they need to get done. You know those kinds of situations like these are things that will probably already be on the government's radar, quite frankly, by the time we reached out.

And I just say that because it's for anybody looking at this, it is an exception, but it is certainly not the kind of exception that is even worth a that is likely to come to fruition in most incidents that come up. This is gonna be very rare that this applies.

Waqas Shahid, Vice President, Charles River Associates

Yeah, absolutely, absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So that's really the key takeaway there.

Waqas Shahid, Vice President, Charles River Associates

Alright. Well, speaking of national security and moving on to our second topic, in April of this year, the Cybersecurity Infrastructure Agency, CISA within DHS released an advanced notice of proposed rulemaking regarding incident reporting requirements related to US critical infrastructure companies.

Can you give us a brief overview of what CISA is, is planning or thinking there and what the requirements might be with respect to that role?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yes the proposed rule by CISA is the cyber incident reporting critical infrastructure actors authorized by that it's referred to as CIRCIA.

And so this rule is being promulgated under that statutory authorization.

The thing to keep in mind, I think that may be surprising for a lot of folks. So the so we'll talk about the mechanics of how the rule works, but I think one of the things that's interesting is its scope.

Who it all applies to because you know what we think of critical infrastructure, some people might not have a particular view of what that means.

Other people might think of dams and nuclear power plants only, and other people may have other machinations.

But the reality is that if you look at the rule and what it covers, it can be pretty broad in terms of who would be a part of this.

Just for example the there are 16 categories of potential sectors and we'll talk about how one is qualified in there, but some of them are large categories and for those that may not be in this space, right, you've got energy, defense, industrial base, those are kind of obvious, but you also have communications, you've got financial services, information technology sort of areas that are big categories right now.

The categories it themselves do not necessarily define who is covered by themselves, right? But for the first part, I would say there are some organizations out there that are probably covered with this, that maybe haven't realized it yet.

Waqas Shahid, Vice President, Charles River Associates

And that really struck out to me, that stuck out in the sense that this is potentially very, very broad and it's not clear cut who might be covered.

I mean, I think they defined or you know, they're gonna apply this rule to quote unquote and covered entity, but whether or not you are a covered entity is not as straightforward as one would imagine.

As you point out, I mean food and agriculture is included here. Healthcare is included here.

I mean, there's a lot of well, you were traditionally think it's pure commercial, but as we've learned, almost all commercial concerns tie back the national security in some way.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So since I had the responsibility then of really trying to provide clarity for folks, and the rule is to who is covered and the mechanics of coverage, which I'm happy to start talking through now.

You know, they're pretty clear, but again, if you're working at an organization, would you know off the top of your head whether you qualify?

Depends on the organization, right?

So the way that it works is that.

Waqas Shahid, Vice President, Charles River Associates

Yeah.

Andrew Pak, Senior Counsel, Perkins Coie LLP

There are 16 total critical infrastructure sectors.

We talked about a few of them, like chemical emergency services, energy, financial services, nuclear reactors, materials and waste.

So there's 16 total and they said if you look at all 16, they're pretty broad.

Once you look at them in the aggregate, because it's hard for any given company, you've got at least an argument that, hey, maybe they are communication company, right?

So this again, broad categories, now the categories themselves are not dispositive by themselves.

You are covered entity if you are within one of these 16 sectors and you are considered a large organization or you are outside of the definition of a small business under the Small Business Administration Act.

So those organizations would be covered entities.

And then if you're smaller, if you're not one of the large organizations within the 16 infrastructure sectors, if you're smaller, but within those 16 infrastructure sectors, then there are sector specific additional things.

Let me give you one example just put some flavor, get some colors like within the chemical sector.

If you're a smaller organization and you're in the chemical sector, then the specific sector brace criteria for you is that you own or operate a covered chemical facility subject to the chemical facility anti-terrorism standards, and by the way, even determining whether you're considering a small business or large entity is sector specific to is when you look at the act, they're very like, if you're in agriculture, it might be something as specific as like how many bales of hay or something you're process I'm clear.

I’m not in agriculture, but it gets very specific in terms of whether you're large or small.

Then the rule has again additional sector specific things that will bring a smaller organization that's within that sector into this reporting requirement.

That's how it is now.

The problem is that for some organizations that fall within one of the 16 sectors, some of this, if they're smaller entity that might fly under the radar cause large organizations likely is aware of the fact that they may be within a critical infrastructure section, but there are smaller organizations that under this rule could still come under the reporting requirement. But even though they're small, it may not be obvious to them, and it's not as though we have just a very clean list of all the organizations that are put out. So it takes a little bit of math, right?

Not actual math, but it takes a little bit of analysis to figure out whether you're covered.

And again, I think the coverage is maybe a bit broader than people might expect just hearing like the name of the statue.

Waqas Shahid, Vice President, Charles River Associates

Yeah, that's very enlightening and I know there's some additional language around what constitutes cover cyber incidents.

So even if you make a determination whether or not you are covered entity for this rule, you still have to determine whether or not you have a covered cyber incident on your hand.

So just talk us through what a covered cyber incident is for this rule and what that involves.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, so either you're covered entity or not.

But even if you're covered entity, you only have a reporting requirement if it’s covered by a cyber incident.

Cyber incident, the definition is an occurrence, an event that jeopardizes without lawful authority the integrity, confidentiality.

I'm sorry this is a definition of a cyber incident.

Confidentiality, availability of information on the information system or actually jeopardizes without lawful authority and information systems. So first it needs to basically jeopardize the confidentiality, integrity, availability of information in order for it to be a cyber incident.

Now once it is a cyber incident, we know we're dealing with something like a loss of data, as an example or ransomware incident, and we know we we're dealing with cyber incident then you have to determine whether that incident meets one of like four categories of essentially qualitative assessments that might make this more serious.

I wanted to say material in the generic sense, but I can't because right.

But the idea is this is kind of like their form of significant or materiality.

However you want to refer to it.

Waqas Shahid, Vice President, Charles River Associates

Sure.

Andrew Pak, Senior Counsel, Perkins Coie LLP

I would question that you were material but one of four things that you need to consider, right?

So one is, I think what we're used to thinking about, which is lots of data lost, impacted, stolen, whatever it may be, but a substantial loss of confidentiality, integrity or availability of data, very standard, even a ransomware attack, theft of credit cards in in huge amounts, the kind of mega breaches, you know that that we used to hear about all the time before ransomware was big. All of these would be scenarios where you might have a substantial loss. Now the gray area here is a gray area that is gray, but is one that we're used to dealing with, is it's not super specific as to what constitutes a substantial laws, but, for a lot of organizations that are dealing with something big, it will be clear when that you're dealing with theft of your entire customer database, for example, or your financial database.

So tends to be a fairly easily applied.

Then you've got a second one serious impact on safety and resilience.

So this might this might have to do, the operational folks have a good sense of this.

We'll get to one more specific to operations, but just the idea that this incident can harm others.

So maybe an example would be if it's gonna impact the emergency phone systems and people can't get to their services, etc. That would be serious impact on safety as an example. Resilience would be a little bit different but same idea. The third one is significant operational disruption. Think ransomware attack but not DDOS attack, right? So a ransomware attack where it takes down your entire network and it's encrypted and you can't go online, you can't do anything for a while.

Distributed denial of service attack can do the same thing, although even one of their comments suggested this, that may be more likely to be not as significant, right because you can remediate a DDOS attack pretty easily and it doesn't mean that any of your data was stolen or accessed.

A significant third party compromise. Now the way to remember this one is, I think what they're going after is situations where common service provider platform, like the move it data breach and all these other sort of supply chain data breaches that yeah exactly that the government is aware of it, right.

Waqas Shahid, Vice President, Charles River Associates

Yep. SolarWinds? Sure.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So you get hit by some back end product, ubiquitous back end product, that you're using that you know lots of people are using and it's not unique to you. It's not like somebody stole your particular set of credentials into that tool, but rather somebody broke into that tool in some way.

That's something that you're gonna wanna report.

And again, you know the significance here may be more getting into the head of your industry as a whole or either reach of the particular vendor that you're dealing with but once you think about it from the perspective as to what the government wants to be aware of, they want to get ahead of these. They wanna notify the other downstream potential victims, etc.

It can become pretty clear when this one is triggered, and I think this one probably presents least amount of agita as a basis for disclosing something for most organizations because it has happened somewhere else.

Waqas Shahid, Vice President, Charles River Associates

Yeah, so this proposed rule I know has pretty onerous reporting requirements just like the SEC rule.

I think this is 72-hour reporting time window and I think separate one for rents and payments, I think that's 24 hours.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah.

Waqas Shahid, Vice President, Charles River Associates

So we won't dive too much into that, but what's the outlook for this rule?

When do you think we may see a final rule to this effect? Because just like the SEC rule, I think this may catch a lot of people by well, I don't know if the SEC rule caught people by surprise, but this one might given how broad it is and the potential coverage here.

So when do you think this might go into effect?

Andrew Pak, Senior Counsel, Perkins Coie LLP

l rule should be published in:

The interesting thing about all of this is, the these rules, the SEC disclosure rules, everything that we're hearing about cyber, it's no accident that you know this is all coming a few years after we see the explosion of ransomware. Because ransomware, unlike the old school hacks where they used to just steal everything and try to not let you know about it, with ransomware people are aware of it as it's happening and it's and that means that everyone that's hit that has security that was breached, you are aware of which you weren't before and then you see the size of this problem.

The reason I say that is, even going back to the Bidens executive order following some of the bigger ransomware breaches a few years ago and to this now, I think that there is a momentum here that will not go away.

So I wouldn't be surprised if we saw the final proposal this year.

Waqas Shahid, Vice President, Charles River Associates

Yeah, absolutely.

Something to keep an eye out on, for sure.

We talked about two very impactful rules and this is just a tip of the iceberg, there's a lot of other requirements.

For example, you know if you're part of the defense industrial base, you've already got reporting obligations for cyber incidents for the DoD and I'm sure other agencies and entities are going to get in on the action.

What are you telling your clients right now as to what they need to do to prepare?

I mean, certainly breach notification playbooks and incident response playbooks have been around for a while, but this seems to be somewhat of a more monumental shift into faster reporting, quicker reporting. So what are you telling your clients that they need to do in order to prepare for this and really not get caught wrong footed on this?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, I mean it sort of depends on how.

I regulated the client was prior to this rule.

So for example, public financial institutions that are covered entities.

They have to deal with this rule now, but it is a much easier lift for the programs that they're required to maintain under various other regulatory requirements that they have to deal with like New York DFS for example.

And so it's then for those organizations.

So if you're an organization that has a very rigid, I don't mean that in a bad way, but like a very formalized incident identification reporting sort of response program, then it's a matter of breaking that down or analyzing it and making sure that we have the right touch points.

Like I said before, if you've got an incident, you gotta make sure that the person who's gonna decide materiality is aware of that before the materiality decision is made.

Because if you actually follow your operational documents, they may say it only goes to this place or that place once it's material and then somebody and the tech side, that's not a lawyer.

That's not aware of these issues, says well, this isn't material for XY&Z reasons, so it doesn't go that way.

And then maybe your AK lawyer is not looking at it.

You have to find a way to make sure that even the ones that turn out to not be material are getting routed through the right places, so that decision could be made properly and you're not leaving the important decision maker out of any of those scenarios, and so it's about studying those playbooks and the incident response plans that lead up to them. And then you have to have the right off ramps or CIRCIA related reporting as well which would be another branch of this. So that's one scenario for organizations that maybe you're more on the retail side, maybe you're just in a slightly less regulated industry as a whole, but now you've got to deal with the SEC reporting requirement. Well, I would say then you've got a lot of catching up to do depending on the size of the organization, right?

So first is how are you identifying events?

Who's responsible for that?

What is your flow for the life cycle from somebody seeing something suspicious or being reported getting a report from a client?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Whatever it is.

All the way until the thing is closed out or they're disclosures being made, you have to create something that a set of playbooks, a set of incident response plans, a set of policies that make it clear that you have a particular protocol that you follow and that's gospel for your organization.

Then you're at the same point or similar point to what I described before, with a lot of the financial institutions was like now we need to assess whether or not that function, that playbook, the mechanics of what you're going through brings in the right people. Once you have those people brought into the right room, then you're in a much better place than or you're in a really good spot at that point. You know mistakes can happen obviously you can still have things go completely sideways. You can make the wrong decisions, but when you have the right people in the room and the decision is second guest later, that second guessing is much less worrisome. It's one thing to hear for example, that maybe a CISO sitting with the 10K lawyer or the disk security disclosure law is going over an incident giving reasons why something is or is not material.

Why something does or does not matter.

You may disagree with the arguments in that discussion as to why something shouldn't be reported.

You may disagree as to why something isn't material, but now how would you feel about that same company that doesn't disclose it but didn't have that meeting, didn't even have the discussion.

Much different.

Much harder to defend that because anything that you come up with as a good reason why you shouldn't have disclosed just sounds like what lawyers do, what people think lawyers do, which is just make up answers that fit your facts right.

I mean this truth to that.

So I think having the process in place is the most important thing at first.

Then it's a matter of staffing them right, having people, resources, maybe external resources they can rely on.

Andrew Pak, Senior Counsel, Perkins Coie LLP

If to that you're building out in order to make the good decisions during those discussion points during those engagement points.

But you know, if you're at a point where you know you've got Joe or Janet who is the superstar that just handles your stuff and has never been a problem.

And everything's working and that's the level of insight that you have into how incident response is handled.

And it's not all written out, and I, as an outsider, couldn't look at it and know exactly what people are supposed to be doing, even if people obviously are human.

Then then you got to get to that point first, because honestly, the days go by when you're in an organization.

Waqas Shahid, Vice President, Charles River Associates

I mean, you're before you know it, you've spent 72 hours just trying to figure out what's going on.

And so I certainly agree with all that you've said and I think one corollary to that is I would advise that the companies also need to up their game in terms of record keeping, especially around key decisions.

So it's one thing to, like you said, one thing to have a meeting and decide and another thing to not even have a meeting to make that decision.

But I would just add to that that if you have that meeting, you better make sure you record appropriately what the outcomes were or it might as well be as if you've never had that meeting, right?

Andrew Pak, Senior Counsel, Perkins Coie LLP

Yeah, and with the privilege where appropriate, we're protectable.

But yeah, 100%.

You know, I think there's always a risk with memorializing things.

But one thing that most of the folks that have lived in the world of cyber security know is that like, yeah, yeah.

But to a point, right?

Because we can't operate without memorializing things, it's like nothing works the way you need it to.

Waqas Shahid, Vice President, Charles River Associates

Absolutely.

Andrew Pak, Senior Counsel, Perkins Coie LLP

So you have to do it.

You have to do it smart and I 100% agree with that, and especially for determinations like why you might be putting something in item 1.05.

Basically calling it material or outside of 1.05 saying that you know we're disclosing it, but it's not material and what the impacts of that, I mean those are all difficult questions that are gonna be case specific.

And really, as I said before, are gonna require the ability to go back to that rationale if things go South.

Waqas Shahid, Vice President, Charles River Associates

Sure.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And I'd much rather have that memorialized and be able to say, look, see, this is, it's not just what I'm saying now.

This is what we were saying at the time.

Our versus, you know, being concerned that the document exists at all because you know some people will have that reaction.

But you know, again I think you know, but look at the end of the day, all of these regulations, all these regularities, they really want one thing and they want accurate data about incidents that matter to them and to the extent that you could figure out that this is the kind of thing that falls into that category.

You better have a good reason as to why it doesn't.

And if you don't, and if you don't memorialize it, you know you will get caught out.

The other thing that it did wanna mention before we go off that topic or just disclosures is the other thing to keep in mind was specially with the SEC side is materiality like once you make the hard decision on an incident like OK yeah.

All right, fine.

This is material.

We're gonna report it.

You have to report all the material aspects of that, like all the warts that made you come to that made you agree with the other side that OK fine, its material and the one of the worst things I think a company could do in this current environment is do just enough to get the plaintiffs counsel interested or the regulator's interested, but not enough to fully disclose the materiality of the issue.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And so that's something to be careful of cause and you end up with both the worst of both worlds, right, because you give them a signal.

Like if you know you've been there, you want to report something.

There's layers of voices that always want to clean it up a little bit, but now you've been given out there that something happened, right?

And then all it takes is a good plaintiff’s attorney or regulator to dig a little bit deeper to find a couple of other facts that might have made it look a lot worse that you didn't disclose, and that's where you're gonna be kicking yourself, because you took the stock hit you disclosed it initially a little bit you take another one when you get sued, another one if you lose the summary judgment motion.

You really have to kind of make that decision and own it when you do it.

I've worked with a lot of companies to know how this happens in good faith.

You can't make the decision to own it and then dilute what is said about that to the point where you've now undermined that risk mitigation strategy that you've undertaken and created more risk for yourself by saying things that arguably are half-truths, right?

USC:

Waqas Shahid, Vice President, Charles River Associates

Yeah.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And you know, it's got a 5 year max and I don't know that anybody would get an amount of time for that, but my goodness, you obviously don't wanna have to deal with the with the with the criminal allegation.

So, you know things are gonna, you know, the very, very serious rules, you know, very serious time where the marketplace and the government is just not willing.

We're all sick I think of kind of the amount of breaches that we see, I think people are glaze over the boilerplate language they see in, you know, data breach notifications and the like.

Waqas Shahid, Vice President, Charles River Associates

Yeah.

Andrew Pak, Senior Counsel, Perkins Coie LLP

And you know, I think it's gonna be really important, especially as the SEC is trying to make their mark here.

They're gonna try to enforce places where they can set precedent through enforcement.

Waqas Shahid, Vice President, Charles River Associates

Yep.

Andrew Pak, Senior Counsel, Perkins Coie LLP

You know, it's now is an important time to be careful with these decisions, because if you're one of the handful of companies that might get made, you know, a point, a lesson out of right, you know, that's just gonna look a lot worse than it ultimately would need to.

So vigilance here is, I think, incredibly well spent.

Waqas Shahid, Vice President, Charles River Associates

Absolutely.

Alright.

Well, Andrew, this has been a fascinating conversation and I feel like despite us having covered a lot of ground, we're just scratching the surface on this.

You know, there's a lot of different areas that we could still talk about even within these two rules, not to mention the whole host of other initiatives on this front.

But it's been an absolute pleasure, Andrew, loved our conversation and all the insights that you brought to this area and would love to continue this conversation at some point.

I'm sure we're gonna have a lot to talk about later in the year when the SEC does unleash some of that enforcement and you know the CISA rule becomes effective, etcetera.

So looking forward to reconnecting and certainly keeping the conversation going.

Thank you for joining me.

Andrew Pak, Senior Counsel, Perkins Coie LLP

Sitting here, Waqas is always great to catch up, you know whether on something like this or otherwise and you know, I had a blast today and look always happy to chat.

It'll be really interested to see where this all goes.

And you know, I'm excited to see that and excited to, you know, see how your podcast does going forward.

I'm sure you'll do great.

And I'm really glad that you brought me on to chat with you.

Waqas Shahid, Vice President, Charles River Associates

Thank you for joining us for this episode of CRA's National Security and Technology Conversations Podcast. You can listen to all of our episodes on our website at crai.com.

Links

Video

More from YouTube