Since 2012, large consumer products and services companies including Sony, J.P. Morgan, Target, and Home Depot have suffered major cyber breaches. In light of the increasing importance of security at all companies that gather customer or client data, the Center on Law and Security (CLS) and the US Attorney’s Office for the Southern District of New York (SDNY) co-hosted a conference of experts with both law enforcement and corporate perspectives to discuss the evolving cyber threat.

Preet Bharara, US attorney for the SDNY, moderated the first panel, on how corporate America can respond to cyber threats, with panelists Ajay Banga, president and chief executive officer of MasterCard; Randal Milch ’85, distinguished fellow at CLS and former executive vice president of Verizon; and Stephanie Yonekura, partner at Hogan Lovells.  

Most cyber attacks, Yonekura said, start from a basic phishing email opened by an unsuspecting member of an organization, allowing hackers to gain access to the network for an average of 200 days before the breach becomes evident. One key preventative measure that companies can take is to send mock phishing emails to all employees to test whether the workforce is susceptible to them.

Once a breach has occurred, the immediate priorities of companies and law enforcement can differ in terms of how and when to inform the public. “We try to have our case all nailed down before we announce who the bad guy is,” said Yonekura, who, prior to her current position, served as acting US attorney for the Central District of California.

Businesses, however, also have to consider public relations and legal liabilities. “Companies realize that there are huge PR issues associated with people finding out months and months later that there was a hack,” said Milch. But ultimately, Banga said, “chasing down the bad guys” is good for companies, too.

A second panel, moderated by Joon Kim, deputy US attorney for the Southern District of New York, conducted a tabletop exercise on handling an escalating cyber crisis. Rajesh De, partner at Mayer Brown and distinguished senior fellow at CLS; Thomas Farley, president of the NYSE Group; Diego Rodriguez, assistant director in charge of the FBI’s New York Field Office; and Edward Stroz, executive chairman of Stroz Friedberg, responded to the scenario, which included first the potential threat of personal finance data, then the theft of proprietary documents, and finally the exploitation of that stolen data.

Although the panelists offered varied perspectives, they agreed on one thing: Companies and major institutions must have a protocol in place for potential cyber intrusions in order to minimize the technological and PR repercussions if an attack succeeds. “The most important thing,” said Farley, “is that you’re thoughtful about a potential hack before the hack happens.”

Posted January 29, 2016