New York Common files its first cyber risk shareholder proposal

The $209bn New York State Common Retirement Fund filed its first shareholder proposal dealing with cybersecurity, calling on Express Scripts to publicly detail its cyber risk and security efforts.

While the proposal failed to gain the support of a majority of shareholders, the state pension system said that cyber risks will be an increasing concern for shareholders in the future.

“A significant number of shareholders spoke loudly at Express Scripts’ annual meeting supporting our call for the company to publicly detail its cyber risk and actions taken to ensure cyber security,” DiNapoli said in a statement. “Cyber security is one of the most critical issues facing businesses today and breaches can affect millions of people, but Express Scripts has provided shareholders with little reassurance or information on
what actions it has taken to mitigate cyber risk in its operations. Company executives should reassure investors that they have taken solid steps to mitigate the risk of a computer breach.”

The New York fund, which holds a $130m stake in the pharmacy benefits management company, requested that the Express Scripts board annually review and publicly report on its cyber risk, including risks related to outsourced business functions, a description of material cyber incidents, risks related to undetected cyber intrusions, and a description of relevant insurance coverage. The company disclosed in 2008 that a data breach affected the personal and medical information of more than 700,000 customers, and State Comptroller Thomas DiNapoli filed the shareholder proposal shortly after the Equifax data breach exposed the personal information of as many as 145 million Americans.

This is the first time the fund filed a shareholder proposal exclusively dealing with cyber security, spokesman Mark Johnson said. Express Scripts had sought to prevent DiNapoli’s proposal from going to a shareholders’ vote, but the Securities and Exchange Commission rejected the company’s request in March, according to the Comptroller’s Office.

Read the full story: New York Common files its first cyber risk shareholder proposal

Published by Money Management Report/Pageant Media.

Cyber Risks Loom Ever Larger For Government Contractors

By Dietrich Knauth

Law360, New York (September 23, 2014, 4:30 PM ET) — Government contractors’ cybersecurity practices are coming under increasing scrutiny from the government, and recent events highlight the unique risks and vulnerabilities that companies face when they hold valuable government data.

Government and contractor networks are under continuous threat from cyberattack, and security and reporting remain serious challenges, as shown by a Sept. 17 Senate report on successful attacks on the networks and databases of U.S. Transportation Command contractors.

The fallout for contractors, especially ones that rely principally on the government for business, can be significant if cyberattacks cause the government to lose faith in them, as has happened to embattled U.S. Investigative Services, which lost its Office of Personnel Management contracts earlier this month.

“What’s happened with USIS should be a wake-up call to industry,” said Robert Nichols, co-chair of Covington & Burling LLP’s government contracts group. “USIS won’t be the last company that suffers from this. I think major contractors will be put out of business to set an example for other contractors.”

USIS had a history of contracting woes dating back to its background checks for NSA leaker Edward Snowden and Navy Yard shooter Aaron Alexis and continuing with a massive fraud suit that accuses the company of filing incomplete background check reports while billing the government for completed work.

But a state-sponsored cyberattack that breached USIS’ systems was apparently the straw that broke the camel’s back, with the OPM and the Department of Homeland Security suspending USIS’ contracts in its wake. OPM, which was USIS’ primary customer, decided Sept. 9 that it would not renew USIS’ background check contract, putting a serious dent in the company’s revenues.

To truly protect themselves, contractors should not relegate cybersecurity just to their IT departments and should instead embrace a top-down approach that recruits all a company’s employees into the effort, according to Michael Chertoff, a former Secretary of Homeland Security who now heads a security consulting group.

Chertoff and Nichols, who are partnering with George Washington University for a Sept. 29 seminar on cybersecurity for government contractors, said the recent events re-emphasized the need for bigger thinking from vulnerable companies.

“There is a bit of a tendency to think of this as if it’s just a technical issue, but you’ve got to take a broader view of this than just finding the right piece of equipment or software to put on your network,” Chertoff said.

Before investing in software or other technical solutions, companies should think long and hard about the types of data that could be an attractive target and come up with a comprehensive strategy to limit access to that data, Chertoff said. That strategy could include steps like limiting access to data within the company, limiting remote access or preventing downloads of certain data, Chertoff said.

“Once you’ve laid the rules down, you can then configure your hardware and your software to enforce those rules,” Chertoff said. “What you can’t do is just buy hardware and software and put it on a network and think that solves the problem.”

Ray Aghaian, co-chair of McKenna Long & Aldridge LLP’s cybersecurity practice, also advocates a broad approach where employees, “from the executives on down, place a strict emphasis on security.”

Without high-level executive attention, companies may not be able to align their cybersecurity budgets to their actual needs and may not be able to move quickly enough to respond to breaches, Aghaian said. Employee sloppiness can create vulnerabilities if training isn’t seen as a high priority, as can overemphasizing static defenses over more demanding but more responsive approaches, he added.

“The mistake that a lot of folks make is that there’s a lot of emphasis placed on the intrusion protection system,” Aghaian said. “People often forget about their IDS, their intrusion detection system — and that is just as important, if not more, because you need to very quickly understand if you’ve been compromised.”

Contractor cybersecurity remains a high priority for the government. In the week after the USIS decision, the Senate passed legislation that would grant DHS additional hiring and compensation authority to help recruit and retain cybersecurity experts. It also released a report on cyberattacks launched on U.S. Transportation Command contractors, which carry valuable intellectual property and sensitive information about military personnel movement and cargo transportation.

“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” Sen. Carl Levin, D-Mich., said when announcing the report’s findings. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”

The public version of the report revealed that Chinese hackers had stolen emails, documents, passwords and other sensitive information from Transcom contractor networks multiple times between 2008 and 2014. The report called for a tightening of information sharing and disclosure requirements, noting that Transcom heard about only two of the intrusions, even when the FBI and other federal agencies had learned of the successful attacks.

Contractors holding government data are often the “weak link” for potential cyberattackers, and agencies are attempting to enforce better security through several pieces of regulation, as well as through ad hoc contract clauses, according to Nichols.

Because the penalties for a failure can be so steep — terminated contracts, negative past performance ratings, and the threat of suspension and debarment — contracting attorneys need to take care to look

for cybersecurity clauses that could impact their clients’ business, Nichols said.

“Different agencies are putting clauses into contracts that shift enormous risk to contractors, without the contractors really understanding what they are agreeing to,” Nichols said. “Because they don’t understand it, they’re not getting insurance for it, so what they are effectively doing is putting the viability [of] the continued existence of their companies at risk.”

Lawyers can help companies set up insurance policies covering cyberattacks and data breaches — a market that remains somewhat underdeveloped — and help them seek DHS certification under the Support Anti-terrorism by Fostering Effective Technologies Act, or SAFETY Act, according to Aghaian. The SAFETY Act limits liability for “claims arising out of, relating to, or resulting from an act of terrorism” and allows the DHS to designate certain cyberattacks as acts of terrorism.

“It’s a very powerful form of liability protection to have, but surprisingly, most companies aren’t making use of that,” Aghaian said.

In the near term, the USIS breach should be a stark reminder that companies face significant risk and uncertainty even when they appear to have handled a cyberattack responsibly, according to Anuj Vohra, a senior associate at Covington.

“Because this is such an evolving threat and the government hasn’t gotten its hands around it, it’s hard for contractors to know what to do,” Vohra said. “USIS is obviously its own discrete circumstance because of everything else it had going on, but it seemed to take all the right steps following the breach to work with the government and address the threat and the breach in an efficient and responsible way, and it still ended up in the same place.”

Published by Law360

DOD Dials Back Contractor Rule For Protecting Data

By Dietrich Knauth

Law360, New York (November 18, 2013, 8:35 PM EST) — The U.S. Department of Defense issued on Monday a final rule on contractors’ responsibilities for safeguarding unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011.

The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning, and maintenance.

While the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents like engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.

“After comments were received on the proposed rule it was decided that the scope of the rule would be modified to reduce the categories of information covered,” the DOD said. “This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.”

The change should be a welcome one for contractors, according to Elizabeth Ferrell, a partner in McKenna Long & Aldridge LLP’s government contracts practice.

“What we have now is just one small sliver of what was proposed in 2011,” Ferrell said. “It’s not a perfect rule, but it’s not as controversial as it was before.”

Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, Ferrell said.

“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.

The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”

While some commenters emphasized the costs of complying with additional cybersecurity steps, the DOD said that the NIST controls “represent mainstream industry practices” and that the DOD is willing to accept reasonable additional costs in exchange for better protection of its unclassified technical information.

In light of the new rule, contractors and subcontractors should quickly determine what data needs to be protected and asses their own compliance with the rule’s NIST standards, Ferrell said.

If contractors do not comply with the NIST standards, they should take steps to become compliant, or prepare to explain why the standards do not apply or why other protections provide adequate security, as allowed by the rule, according to Ferrell.

Published by Law360

US Agencies Get Major Update To Cybersecurity Guidelines

Under the Information Security Management Act, the Office of Management and Budget and the NIST take the lead in setting minimum security requirements used across the federal government, such as giving tips for secure passwords or requiring physical security for sensitive computer systems. The NIST standards have governed federal cybersecurity steps in the absence of federal legislation, and the overhaul is the first such update since 2005.

“This update was motivated by the expanding threats we all face,” project leader and NIST fellow Ron Ross said in a statement. “These include the increasing sophistication of cyberattacks and the fact that we are being challenged more frequently and more persistently.”

The revision’s new assurance controls will help agencies have confidence in the security of their systems and give guidance to contractors that develop information systems, information technology component products and services for the government, according to Ross, who said the focus on trustworthiness in the federal information systems supported the NIST’s slogan of “Build it right, then continuously monitor.”

Contractors may welcome the update as an improvement over ad hoc rules pursued separately by separate agencies. In comments submitted to the NIST on April 8, the Professional Services Council urged the government to halt ongoing efforts to create cybersecurity contract requirements until the NIST framework was in place.

“We strongly believe that the NIST cybersecurity framework should be developed prior to the further development or implementation of new acquisition-specific cybersecurity requirements,” PSC President and CEO Stan Soloway said. “To ensure that consistency is achievable by agencies in both the cybersecurity framework and the federal acquisition arena, PSC recommends that the [Federal Acquisition Regulation] and [Defense Federal Acquisition Regulatory Supplement] initiatives be suspended until the initial NIST framework is completed.”

The new guidelines promote cutting-edge security controls aimed at addressing evolving threats — particularly issues related to mobile and cloud computing, insider threats, supply chain risks, advanced persistent threats, and other areas that have evolved greatly over the past eight years, the NIST said.

To address supply chain risks — an area that has been the focus of recent reports from the Senate Armed Services Committee and House Intelligence Committee — the guidelines recommend that the government sometimes use “blind or filtered buys” to withhold the ultimate purpose of electronic parts from the contractors who supply them.

The guidelines also encourage agencies to offer incentives to contractors that are open about their procedures for vetting the security of their electronic parts and subcontract suppliers, something the U.S. Department of Defense is addressing as it implements the 2013 National Defense Authorization Act. The NDAA provided a safe harbor for contractors who have DOD-approved vetting procedures, while requiring other contractors to pay for the cost of replacing counterfeit electronics that supply to a military system.

Previous NIST guidelines, as well as a change in the 2013 National Defense Authorization Act, have pushed contractors to report data breaches affecting government systems. The 2013 NDAA included a last-minute amendment added by Senate Armed Services Committee Chairman Carl Levin, D-Mich., that required cleared contractors to report on cyberattacks and grant the DOD access to information systems for security checks.

Contractors complained that the amendment’s initial language would have provided the DOD with open-ended access to data — even to the point of long-term confiscation of computer servers — with very few controls on how that information would be used or safeguarded. While the final version of the NDAA limits the amendment in a few key ways, requiring the DOD to safeguard trade secrets and commercial information and preventing the DOD from sharing the information outside of the agency, some said the change didn’t go far enough toward addressing contractors’ concerns.

Published on Law360

Obama’s Cybersecurity Order Could Squeeze Contractors

By Dietrich Knauth

Law360, New York (February 26, 2013, 8:01 PM EST) — President Barack Obama’s recent cybersecurity executive order envisions a more centralized approach to protecting the government from hackers, but contractors worry a slew of new costs and burdensome information-sharing requirements could also accompany the well-intentioned move.

Government contractors, already a target for hackers because of their closeness to government data, are among the biggest groups affected by Obama’s Feb. 12 cybersecurity executive order, which pushes federal agencies to work more closely with defense contractors, banks, electric power companies, communications providers and other critical infrastructure operators through voluntary security standards and increased dialog about cyberthreats. The order and an accompanying policy directive also direct the agencies to consider changing the Federal Acquisition Regulation to include cybersecurity concerns in new government contracts.

But the government’s effort to incorporate cybersecurity standards into acquisition planning, and to harmonize existing procurement requirements could be a mixed bag for contractors. While the new standards will likely carry new compliance costs, those additional costs could be offset by smoothing out a “Tower of Babel” of conflicting agency-by-agency and even contract-by-contract approaches, according to Crowell & Moring LLP partner David Bodenheimer.

“It is not all downside. An upside to a FAR regulatory scheme for cybersecurity would be greater uniformity and less compliance burden on contractors,” Bodenheimer said. “One of the problems right now, for federal contractors, is having to comply with a host of changing federal regulations at the agency level.”

But many are concerned that new regulations arising out of the executive order will ask too much of contractors, especially because the government will have to frequently update its standards in order to combat rapidly evolving cyberattacks and new techniques employed by hackers.

“The goal sounds like a good idea, but we’ll have to wait and see what’s proposed,” said Elizabeth Ferrell, a partner at McKenna Long & Aldridge LLP. “Consistency would be helpful but there’s always concerns that the standards will be too strict and too much of a burden on contractors.”

Contractors will also be asked to take part in the executive order’s voluntary information sharing program, which is based on a pilot program already underway between the DOD and some defense contractors. As long as the information sharing remains voluntary, contractors, as with other companies affected by the order, will closely watch as the government settles on a mix of incentives and penalties to encourage the cooperation they’re seeking.

Many companies are worried that reporting on cyberthreats and data breaches will open them to new liability, from exposure of trade secrets and proprietary data, to liability for inadvertently disclosed personal information, to damaged corporate reputations. Contractor groups, including the Professional Services Council and TechAmerica, have already called for granting indemnification to companies that meet cybersecurity standards or exempting their disclosures from Freedom of Information Act requests, steps that would assure contractors, but would require legislative action.

In addition to the reporting risks faced by other companies affected by the order, contractors face a few unique risks when reporting data breaches or cyberattacks — particularly if they lead the government to see the contractor as a less secure partner than potential competitors. Many federal agencies now include information security and safeguards as an element of past performance and experience during a contract competition, according to Bodenheimer.

“That breach may be used against it in other contexts as well, such as being penalized in a competitive source selection,” Bodenheimer said.

Information also carries more risk for contractors than most private sector companies, because government contractors are subject to a number of additional statutory, regulatory and contractual reporting requirements. Noncompliance with one of those additional reporting requirements could open up government contractors to accusations of procurement fraud or whistleblower suits under the False Claims Act.

“Government contractors, by nature, are very cautious because there are a lot of potential liabilities associated with any kind of noncompliance,” Ferrell said. “False Claims Act liability certainly is one of those, so I think that would be on a list of potential lawsuits that a company might face that might originate from voluntary disclosures.”

There is also the fear, perhaps well-grounded, that the voluntary information sharing framework in the executive order will be a mere stepping stone to a mandatory reporting requirement in the future.

Defense contractors, whose early efforts provided a framework for the executive order’s information sharing program, experienced something similar in December, when the 2013 National Defense Authorization Act required contractors with security clearances to report cyberattacks and system breaches.

“If I was an industry member, I would wonder if we’ll see a broader mandatory disclosure requirement that will apply to non-cleared contractors,” said Jon Burd, a government contracts attorney at Wiley Rein LLP. “None of that is on the immediate horizon, but  it’s reasonable to wonder out loud whether that is a path that we may head down in the not too distant future.”

Published by Law360