During the 2019 SMART4SEA Conference, Joe Walsh, Collier Walsh LLP, briefed delegates on “Myths and Realities” associated with recovery from a cyber incident, highlighting how perceptions may impact a recovery.
When we talk about cyber security, we can go back and say we’re going to talk about some stories throughout the day. So, what’s reality? If you think about it, if you take perceptions, mis-directions and distractions and put them all together, that in fact is your reality. It’s real to you, no matter what you’re dealing with. No matter where you are in the assessment phase or the recovery phase, it’s your reality.
I will go through five concepts.
- Its ok to Panic! (Myth)
- Ounce of Prevention (Reality)
- Beware the Law of the Instrument (Myth turned Reality)
- It is not IT (Reality)
- Have a Plan and Plan to Test it Again… again… well, you get the idea (Don’t let Reality turn to Myth)
The reality is that you should pay upfront. You don’t have to pay in the back. You need to take a look in your systems. You need to find where you fit along the evolution trail, as it comes to cyber awareness, cyber security, cyber risk management.
Things we’ve all been through before. To a carpenter every problems looks like it can be fixed with a hammer. That’s his perception, that’s his reality.
The point of saying this, is that we have to look the point of things differently. We see it a lot with governments and agencies. When they find something that works they tend to go right down the same path, either it is regulation.
So, we see government agencies, regulators, politicians, if it worked once it should work again. For example, is cyber risk in the USA similar to the Oil Pollution Activity 1990?
The concepts are very much the same.
- In pollution we talk about Prevention but when you have an incident, you have to be able to respond;
- Area Maritime Security Committees;
- Area Maritime Security Plans;
- Drills and Exercises;
- Risk Based Assessments with “performance standards”;
- Designation of Individuals/Teams to Assess and Respond.
The USCG for example, has used and is using the existing ISPS in the ISM code in the regulatory component. It’s starting to use the things they learned in 1990 for cyber security.
There’s an actual framework we use in the US for an assessment of the process of trying to protect. This is not unique to maritime. This is to all the different sectors that all relate.This is a tool that we’ll use, to help you process. You have to be careful again, because we get trapped into a certain way of thinking and if we follow the book you need to be faxable. Don’t be carried away with the plan itself or the requirements.
Remember and be like the coast guard or the agencies who are following a certain path, we too as human beings, we’re creatures of habits, so our own internal teams will also follow that same habit and will also follow that same process.
It is not “IT”! you can not send it to the IT department and expect that it is going to be handled.This is what we call, bet the form kind of liability. The ‘bet a form liability’ in the US is basically is a risky proposition.
A cyber incident could cripple your business. You have to work with your insurance brokers to find where the gaps in your insurance are. You need to work with external specialists. And you’re going to have to work with lawyers as well.
I will talk about the ‘plan’ which is more on the operational side. This is more in the investigation side, looking into the prevention issues. Now, you have the people in place and you need to see did you report the event? Yes.
Did you report the cause? Not necessarily. You want to share it probably with others, but we all know in the shipping business, we don’t care about anybody else’s water.
There are commercial reasons on why the shipowners don’t want to explain why they’ve been compromise, as well.
If you had an event, there are a number of steps you need to take in order to protect your assets and to minimize your exposure, which is a liability.
If your exposure outpaces your asset and your liabilities become solvent.
I recommend, you will want to have a dual set investigation, one that is legal in nature, what are your exposures, what are your obligations, what are people saying and not saying, are you misleading stakeholders?
And at the same time, you need a business recovery component. People who understand the ones and the zeros.
And they have to work together. But one of the things you want to be careful with, is that you don’t blow privilege, you don’t bust your opportunity.
In the US the legal privilege is very sound and in the European systems it is a little bit different.
The concept is still the same. Lawyers need to understand the problem, so that we can give management, our clients the best advice to move forward, legal advice.
It won’t be the first time clients won’t follow legal advice. We want to give you ‘upjohn warning’ to the individuals that want to assist council and determining the cause that you want to give continues, improvement feedback to management for the next time. Or to find out exactly what it happened, so that you can minimize those exposures.
The ‘upjohn warning’ is that you have the right as an employee to remain silent and not tell me what you’ve done or what you know. At the same time, we consider you as a key employee, you can help us with the situation, and therefore, we’re extending legal privilege form the management to include you as an individual.
Also, you have to make sure that you have a good Litigation hold. The last thing you want to do is find yourself having complicated the situation. It’s bad enough you have a problem, but you don’t want people lie about it or trying to cover it up.
You want to be careful of your people not to make the situation worse, by trying to cover it up. More importantly, when the regulators do come knocking you don’t want to have people having deleted things or not having preserved the evidence that you need.
We will go out o the cyber experts and work with them to put the case together and we will have what we call ‘Kovel Letter’. Another thing I want to talk about is insurance, which is about most of the carriers that provide cyber insurance will automatically hire two lawyers.
The carriers will hire two sets of lawyers to begin with. They will hire defense lawyers or the lawyers to help you with. You may hire them yourself, and they may pay your bill. It depends on how the policy works.
The second lawyer is going to be on for the insurance company. To determine whether something is covered or not. In that second appointment you want to work with that lawyer or that team.
You want to be coached on how you respond and how you mitigate so you don’t go outside the bounds of your carriage.
Above text is an edited version of Mr. Joseph A. Walsh’s presentation during the 2019 SMART4SEA Conference.
You may view his presentation herebelow
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Joseph A. Walsh, Senior Partner, Collier Walsh LLP
Collier Walsh LLP is a collective team of legal professionals and consultants who are honest, experienced, hardworking, responsive and creative problem solvers. The Collier Walsh Team is led by the highly recognized and well known maritime and environmental expertise found in both William (“Bill”) Collier and Joseph (“Joe”) Walsh, who together have nearly 70 years of combined experience.