Cybersecurity experts at LAA luncheon advise on data held hostage

A discussion of cybersecurity breaches was on the menu at the annual Law Alumni Association (LAA) luncheon, with experts from the legal, private equity, and technology industries offering perspectives on key issues in a ransomware attack.

Joe Ehrlich '97 (left), Jonathan Kortmansky '94, and Dean Trevor Morrison (right)

Following remarks by out-going LAA president Joe Ehrlich ’97 and president-elect Jonathan Kortmansky ’94, Professor Edward Rock posed a hypothetical scenario about “Morrison Corp.,” a NASDAQ-listed company providing cloud-based document management systems that faces a cyberattack. Clients and the company’s own IT department are suddenly unable to access data, and a popup message indicates that data on Morrison Corp. servers has been encrypted. If Morrison Corp. pays 50 bitcoins within 72 hours, the company’s data will be unencrypted.

Barbara Becker '88
Barbara Becker '88

Ideally, said Barbara Becker '88, co-chair of Gibson, Dunn & Crutcher’s mergers and acquisitions practice group, the hypothetical company will have prepared for such attacks, by identifying and addressing its vulnerabilities in advance and keeping the board briefed on its progress. Without a good backup of its data, the company will likely need to hand over bitcoins. In this example, it’s almost a “no-brainer” to pay, said Becker, since the ransom, worth about $50,000 at today’s prices, is relatively immaterial.

Randal Milch '85
Randal Milch '85 (left) and Edward Rock

A large gap exists between the level of preparedness at large companies, especially those in a regulated industry such as banking, and at smaller companies, said Randal Milch ‘85, former general counsel of Verizon and now distinguished fellow at the Center on Law and Security and at the NYU Center for Cybersecurity. If Verizon were to experience this kind of incident, Milch said, the company would quickly get in touch with its contact at the Federal Bureau of Investigation as well as external counsel to handle any potential litigation. A small company, on the other hand, would be less likely to have the same expertise and might have to hire an IT consultant.

For businesses that are particularly sensitive to cybersecurity risks and reputational issues, an incident during a potential M&A transaction is a crisis that can trigger a deal's Material Adverse Change (MAC) clause and possibly lower the sale price. "Cybersecurity has become an important element of the diligence analysis," said John Suydam '85, chief legal officer at alternative asset manager Apollo Global Management. In M&A deals, Suydam said, "you always want to have the MAC immediately to have leverage to negotiate the outcome."

John Suydam '85
John Suydam '85

As for how to respond to a cyberattacker’s demands, Suydam pointed out that paying a ransom entails risks. “Are you now more of a target than you were before?” he asked. “How many people within your own organization will know it and not think it was the right thing to do, and become, in one way or another, a whistleblower?”

Although ransomware is a predatory activity, the dark web marketplaces where bad actors conduct business are, ironically, built on trust, Milch observed. “If they don’t decrypt, they’ve lost their reputation and it’ll get around pretty quickly,” he said. “The bigger cyber consultancies have a huge reservoir of information about the bona fides of the bad guys.”

The experts concur that advance preparation is critical. Companies should do a risk assessment and devote an adequate budget to address their weaknesses, Becker advised.

“Don’t assume that you’re not the one that can be hacked,” she said.

Posted February 7, 2018