Newport, R.I.—Over 50 senior leaders and a small group of selected students gathered at the Pell Center on December 8, 2015 to participate in a four-hour cybersecurity tabletop exercise. The event, specifically designed for corporate executives and general counsels, was part of the Rhode Island Corporate Cybersecurity Initiative, and focused on best practices for incident response and mitigation.
The exercise was led by a panel of experts, including: Ellen Giblin, Privacy Officer at the Boston Children’s Hospital; Kevin Swindon, FBI Supervisory Special Agent in the Boston Cyber Division; Don Ulsch, Senior Managing Director at PwC; Ken Mortensen, Senior Managing Director at PwC; Stephen Ucci, Counsel at the Locke Lord law firm and RI State Representative; and Scott Baron, Chief Information Security Officer at Finance of America Holding. The panel, which represented the ‘dream team’ every company would wish to have to manage a potential cyber attack, took participants through a simulated cyber incident and provided considerations and tips on how to respond, remediate, and survive an attack.
Keynote speaker Peter Neronha, U.S. District Attorney for the District of Rhode Island, offered some initial remarks and praised the work of the Pell Center over the last several years for raising awareness about the most pressing cybersecurity issues and for providing a venue where public and private sector leaders have been able to discuss ways to make their organizations—and thus Rhode Island—safer and more resilient to cyber incidents. Mr. Neronha discussed some insights in the work of his office to prosecute cybercrime and laid the groundwork for a productive discussion on the topic.
Participants in the exercise worked together to determine appropriate responses and mitigation strategies to the real-world scenario at hand, using existing regulations, policies, and procedures. The cybersecurity experts and practitioners in the room shared a wealth of information, including tips and lessons learned from some of the most sophisticated cybersecurity incidents they either investigated or helped large companies resolve and mitigate. They also discussed issues that often arise when working with law enforcement and encouraged attendees to consider all the resources available to them in the event of a cyber incident, including through state and federal law enforcement agencies, and the set of standards and guidelines that they should follow.
Francesca Spidalieri, Pell Center Senior Fellow for Cyber Leadership, moderated the event and provided additional input and suggestions. As she is often quoted saying, she reminded the audience that: “There are really only two kinds of organizations: those that have been hacked, and those that don’t know they have been hacked. And that is why it is key to prepare before a breach happened.”
Each table, composed by lawyers, cybersecurity practitioners, corporate executives, and law enforcement officials, worked together to define a set of actions in reaction to each module of the event scenario. A representative of each table presented their findings, to which panelists offered constructive criticism and additional tips on successful mitigation strategies and post-breach measures. Module two, for example, presented an interesting challenge: whether or not to pay a costly extortion demand from the antagonist in the exercise. This gave the scenario an extra level of complexity, and panelist Don Ulsch emphasized the importance of understanding the full impact of such a demand for any company and the broad spectrum of risks and consequences of the decision to pay (or not pay) the ransomware.
The panel also addressed disclosure obligations under current securities laws—some of which may require a disclosure of cybersecurity risks and incidents in financial statements—and the pre- and post-breach guidance that may shape the way Boards of Directors address fiduciary obligations as part of corporate governance. Among the other major takeaways identified by participants were: the recognition that leadership plays a key role in establishing and sustaining an organizational culture of cybersecurity; the acknowledgment that developing relationships with law enforcement organizations pre-breach is fundamental; and that emphasis on employees’ cybersecurity training.
Attendees left the tabletop exercise with a road map on how to advise their companies and their clients facing a cyber incident, and on how to better prepare, respond, remediate, and survive a cyber attack.
Learn more about the Rhode Island Corporate Cybersecurity Initiative here.