The news of the recent massive data breach at Capital One made the front pages of the business sections of newspapers across the country. The hack has drawn attention not just because of the magnitude of the hack, but also because the hackers apparently managed to steal data from The Cloud. The Capital Data breach represents a “wake-up call” for boards of directors, according to the following guest post from John Reed Stark. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Another day, another data breach. This time at Capital One, the fifth largest credit card issuer in the United States.
Specifically, on July 29, 2019, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of 100 million Capital One Financial Corp credit applications from a rented cloud data server. The FBI says Capital One learned about the theft from a July 17, 2019, email stating that some of its leaked data was being stored for public view on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of Paige A. Thompson. According to the FBI, Thompson also used a public Meetup group under the alias “erratic,” where she invited others to join a Slack channel named “Netcrave Communications.”
KrebsOnSecurity, actually entered the open Netcrave Slack channel on July 30, 2019, and reviewed a June 27, 2019 commentary Thompson, which listed various databases she found by hacking into improperly secured Amazon cloud accounts, suggesting that Thompson may also have exfiltrated tens of gigabytes of data belonging to other major corporations.
Ironically, Capital One is considered by many to be a digital banking pioneer and one of the more cyber-savvy companies in the world, evidencing how even the most technologically mature organizations are struggling to manage the rising force of third-party cyber-risk.
Make no mistake: vendors, partners, business associates, and other third parties whose outsourced operations become integrated within a company, can pose a challenging and existential cybersecurity threat to operations. Yet despite increased regulatory scrutiny; growing virtual threats at a global, national and state level; and a riskier business environment, most experts would attest that the relative maturity level of vendor risk management programs is still lacking. For example, CrowdStrike’s 2018 report “Securing the Supply Chain” states:
“Although almost 90 percent of the respondents believe they are at risk for supply chain attack, companies are still slow to detect, remediate and respond to threats.”
Undoubtedly, upon learning of the Capital One hack, corporate board members across the U.S. are likely struck by one immediate thought (there but for the grace of God go I) and one immediate question (What should I do now?).
This article tackles the issue of third party digital risk management head-on, by offering a useful and comprehensive strategical framework for boards of directors to undertake intelligent, thoughtful, and appropriate supervision of a company’s vendor-related cybersecurity risks, especially those risks relating to cloud computing services.
Vendors and Cybersecurity
Companies today rely on a broad range of third party vendors to support core business functions, which typically entails granting these third-party entities access to a company’s data and its internal systems. This digital interconnectivity between vendor and customer creates an inherent risk as cybersecurity shortcomings of third-party vendors have become the go-to-attack vector for cybercriminals. In fact, PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties.
Vendor’s often maintain less stringent security protocols, raise fewer suspicions and allow for easier identity masking — providing ideal points of entry for attackers looking to leverage unauthorized access. For example, in the Target breach, attackers began by using malware to steal credentials from the air conditioning subcontractor, and from there had access to Target’s vendor-dedicated web services. In the JP Morgan data breach, the cyber-attack infiltrated J.P. Morgan’s Corporate Challenge online platform run by an outside website vendor.
Some other recent examples illustrate how varied and almost epidemic cyber-attacks vis-a-vis third party vendors have become, including:
AMCA (Billing Vendor). Billing services vendor American Medical Collections Agency (AMCA) was hacked for eight months between August 1, 2018 and March 30, 2019, impacting more than 25 million patients. At least six covered entities have come forward to report their patient data was compromised by the AMCA hack, including 7.7 million LabCorp patients, 12 million Quest Diagnostics patients and 422,000 BioReference patients. Unable to manage the financial impact of the data breach, AMCA has now filed for Chapter 11 bankruptcy;
Applebee’s (Point of Sale Vendor). The Applebee’s restaurant chains reported point-of-sale data breaches that resided on a third-party system and exposed payment card information at some of the chain’s corporate and franchised locations, possibly affecting all of its167 locations. The exfiltrated information included cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code. Similar breaches of payment systems occurred at fast food chains Sonic Drive-In, Arby’s, and Chipotle, and stores Forever 21, Whole Foods, Kmart, and Brooks Brothers; and
BestBuy, Sears, Kmart, Delta (Chat Vendor). These three vastly different companies had one characteristic in common – they all used 7.ai, a chat and customer services vendor for many brand names, which was hacked via malware, compromising credit card information, addresses, CVV numbers, card expiration dates and other personal data across multiple customer groups.
Boards and Cybersecurity
Every board now knows it’s company will fall victim to a cyber-attack, and even worse, that the board of directors will need to clean up the mess and superintend the fallout. Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses.
Consider the Capital One data breach. When a cyber-attack involves a third party vendor of any sort, a myriad of tasks immediately emerge, including:
- Digital forensic preservation and investigation;
- Fulfillment of state and federal compliance obligations;
- Responding to potential litigation with third parties;
- Class action defense (within 24 hours of the Capital One announcement, plaintiffs had already filed a bevy of class suits against Capital One);
- Engagement with law enforcement (the FBI is already investigating other possible data breaches related to Capital One);
- State regulatory response (New York Attorney General Letitia James announced that her office immediately opened an investigation into the Capital One incident stating, “Safeguards were missing that allowed for the illegal access of consumers’ names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information.”);
- Provision of credit monitoring and identity protection;
- Managing of insurance claims;
- Public relations planning; and
- So many other anticipated and unanticipated breach-related tasks such as briefing customers, partners, employees, affiliates, insurance carriers, and a range of other interested parties.
And besides the more predictable workflow, Capital One will become exposed to other, even more intangible costs as well, including temporary, or even, permanent reputational and brand damage; loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.
Given the explosive growth of outsourced technology services and the increasingly intimate cyber-integration and relationship of companies and third party vendors, boards need to monitor and challenge their third-party exposure and insure the proper implementation of safeguards and processes to reduce their vulnerability.
Boards, Vendors and Data Breaches
Outsourcing of services such as information technology (IT), payroll, accounting, pension, and other financial services, has become increasingly common for today’s corporations, and raises particularly challenging cybersecurity concerns. For instance, the Trustwave 2018 Global Security Report (GSR) found a marked increase of 9.5% in compromises targeting businesses that provide IT services. In stark contrast, service provider compromises did not even register in the 2016 GSR statistics.
Given this sudden explosion of IT-related vendors, boards of directors should probe the practices and procedures of their respective companies with respect to the cybersecurity of their vendors. Most importantly, boards should understand that data security incidents involving companies and their vendors are a “two way street.” In other words, given that cyber-attackers will often traverse across a company’s network and into the networks of its vendors or vice versa, cyber-attacks can often result in disputes as to the culpability for an attack.
Along these lines, boards should confirm that their respective company’s carefully manage vendor access to its networks, customer data or other sensitive information, by inquiring whether their respective companies:
- Have high standards for their vendors, mandating for instance that vendors: have been in business for a reasonable amount of time; have earned certain data security and government compliance certifications (such as PCI, HIPAA and SOX); have annual third party risk and security assessments (which the company can review); make proper use of encryption; use the latest methodology and technology to protect and control access to data and ensure that it meets current security trends and regulations; use two-factor authentication; maintain good password management; have strong cybersecurity training practices; have incident response plans, disaster recovery plans, table-top cyber-attack exercises and place limitations on daily ingress or egress of data;
- Place vendors into different risk categories based on the nature and quantity of company information to which they have access (such as personally identifiable data (PII), payment card information (PCI) or protected health information (PHI)). For example, if a vendor has access to PII or to PHI, then a data breach at the vendor would impact the company substantially. But If the vendor only accesses publicly available information, a data breach would have far less of an impact;
- Map data-flow by assigning data custodians, implementing system controls, enforcing security policies and executing strict data handling procedures and auditing;
- Research whether vendors have experienced data security incidents in the past and how those incidents were handled;
- Consider constructing an interactive vendor portal for sharing knowledge and a hotline to answer and report issues;
- Insure that vendors maintain proper incident-response protocols (e.g. who is the responsible party within the organization to notify when a vendor experiences a data security incident? What is the notification procedure? What is the anticipated timeline?);
- Consider physical site visits to assess vendor cybersecurity first-hand;
- Have contractual agreements with vendors that cover audit rights, cooperation rights and other relationship-based based demarcation definitions;
- Insure that vendors adhere to all applicable laws, especially those relating to data privacy, such as the General Data Protection Regulation (GDPR), Privacy Shield Framework, and the new California Consumer Privacy Act (CCPA);
- Conduct due diligence on vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship. This means establishing via written agreements and ongoing supervision, formal vendor management programs that assess risk and identify potential cybersecurity concerns prior to engaging in a business relationship;
- Include robust privacy and data security clauses in contracts with vendors, including strict and broad data security incident notification provisions;
- Maintain a register of all vendors and the types of personal, sensitive of confidential information the vendors accesses, stores, shares, transfers, etc.;
- Engage in annual third party cybersecurity audits and assessments;
- Check references of vendors, and establish clear “data out” procedures if the company wants to terminate its relationship with a vendor;
- Review not just how sensitive data will be stored, but also how it will be handled when a vendor relationship ends (because former vendor relationships can create even greater risk to an organizations than existing ones); and
- Create contractually defined practical and realistic appropriate remediation protocols.
If vendors conduct remote maintenance of a company’s networks and devices, in the event of a cyber-attack, the company may want to confirm it can obtain copies of any relevant logs, as well as access the third-party system to scan for IOCs.
Boards should also probe the company/vendor communication lines and make sure they are established and thoughtfully staffed and structured, incorporating all of the legal implications of communications. One simple inculpatory miscommunication from the company’s IT department to a vendor (e.g. “I think we screwed up and missed a patch.”) can trigger calamitous legal liabilities.
Boards should also probe whether a company’s vendors have cyber insurance coverage and/or agreements that require the vendor to defend and indemnify the company for legal liability arising from any release or disclosure of the information resulting from the cybersecurity failure of the vendor. Similarly, boards should probe how vendors will deal with government requests or subpoenas that involve data of the company. For instance, will the company be notified and will the company be offered an opportunity to contest any subpoena (and who will pay for any resulting litigation against the government pertaining to the subpoena’s enforcement.)
For boards, the appropriate level of cybersecurity due diligence for vendors is bespoke. Consider the New York State Department of Financial Services (NYDFS) Cybersecurity requirements for financial services firms, one of the more onerous state cyber-regulatory regimes in the country, which lays out more general requirements than specific ones.
For example, per the NYDFS, all third party service providers are not specifically required to implement multi-factor authentication and encryption. Rather, New York financial firms must engage “in a risk assessment regarding the appropriate controls for third party service providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.”
When a Vendor Suffers a Data Breach
With respect to data security incidents, a board should focus its lens on two distinct perspectives:
- What happens if there is a data security incident at a vendor which impacts the company; and
- What happens if there is a data security incident at the company that impacts a vendor.
Under either scenario, much of the communication and cooperation between a vendor and a company will be dictated by the contractual terms governing their relationship.
Along these lines, boards should also confirm that their respective companies have contractual language establishing the company’s rights when a cyber-attack occurs involving a vendor, which can range from notification, to on-site inspections, to the option of an independent risk and security assessment/audit of the vendor (at the vendor’s, and not the company’s, expense).
Specifically, in the event of a data security incident at a vendor, contracts should explicitly allow for the company to know all relevant facts relating to the cyber-attack, especially:
- Whether their data has potentially been compromised;
- Whether services will experience any disruption;
- The nature of remediation efforts;
- Whether there are any official or unofficial findings of any investigation; or
- Whether there is any other information that can impact their operations or reputation.
On the other hand, when a company discovers a data security incident, vendors might make requests to the company, such as seeking images of malware and indicators of compromise (IOCs) or wanting to visit the company and inspect the company with its own investigation team. Vendors may ask for weekly or even daily briefings and may demand attestations in writing with respect to any findings pertaining to their data. Boards should also probe these requirements, obligations, protocols, etc. – to insure that these communications lines are contractually defined, controlled and properly modulated.
Spotlight: Cloud Storage Vendors
Whether AWS will be held at all responsible for Thompson’s alleged cyber-attack upon Capital One remains to be seen. AWS emphatically denies any culpability, issuing a statement asserting:
“AWS was not compromised in any way and functioned as designed . . . The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”
AWS might have a good point. First, according to the Capital One news release announcing incident, the firewall configuration vulnerability that Thompson exploited is “a specific configuration vulnerability in our infrastructure . . . not specific to the cloud.” Capital One even touts the cloud as helping with its incident response, stating:
“The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”
Second, the outcome will center around the contractual arrangement between AWS and Capital One, and AWS’s notoriously detailed contracts tend to favor AWS (according to Gartner, AWS has a 47.8% market share of the cloud computing space). Third, users like Capital One typically maintain full control over any applications they build on top of AWS.
On the other hand, there is a wildcard thrown into the liability calculus that could become a problem for AWS: Thompson is a former AWS employee who worked in the company’s S3 cloud storage technology group, and is suspected of exfiltrating data from other possible AWS customers. As more information is stored in the cloud, staff system engineers like Thompson, trained to become experts using these cloud systems, could become a threat to other companies. If it’s established that Thompson somehow used proprietary AWS information in order to carry out her hack into Capital One, or perhaps that AWS should have done more to alert Capital One about server configuration vulnerabilities or errors, liability could shift to AWS.
Interestingly, AWS considers Capital One to be a prized customer. In fact, Capital One’s CIO Rob Alexander gushed ad nauseum over AWS at a 2015 Las Vegas AWS conference. AWS even showcases the interconnectivity of its Capital One relationship on the AWS website, stating:
“Capital One is using AWS as a central part of its technology strategy. As a result, the bank plans to reduce its data center footprint from eight to three by 2018. Capital One is one of the nation’s largest banks and offers credit cards, checking and savings accounts, auto loans, rewards, and online banking services for consumers and businesses. It is using or experimenting with nearly every AWS service to develop, test, build, and run its most critical workloads, including its new flagship mobile-banking application. Capital One selected AWS for its security model and for the ability to provision infrastructure on the fly, the elasticity to handle purchasing demands at peak times, its high availability, and its pace of innovation.”
Under any circumstance, whether AWS shoulders any of the liability for the Capital One breach, the incident should still serve as a wake-up call for the bet-the-company cybersecurity risks associated with utilizing cloud computing services, and highlights the importance of knowing who becomes liable in the event of a cloud-related data security incident.
Cloud Services and Cybersecurity
More companies, from government to manufacturing to retail, are becoming increasingly comfortable about moving their data to the cloud. Why? Because cloud platforms coordinate globally based integration of networks and enable new, highly complex business models, dramatic cost savings, exponential scalability, increased mobility and easier collaboration.
Indeed, the global public cloud computing market is set to reach $258 billion in 2019, with an average of about one third of companies’ IT budget going to cloud services. Banks in particular are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion in 2018. But all of this growth is not without risk.
When a company stores critical or confidential information in the cloud, that information is essentially stored off-site, possibly in another country. Along these lines, boards should confirm that their respective companies are using cloud providers that can reasonably protect and provide assurances on overall data security.
Specifically, boards should probe a company’s cloud-related practices, especially an assessment of any enterprise-grade security systems and analytics, a determination of the attack vectors, and a review of data security measures. Important questions include:
- Whether the cloud data is encrypted (in transition and in motion);
- Who holds the encryption keys for cloud data;
- Whether the cloud data is subject to search and seizure (both domestically and internationally);
- The nature of data protections used by the cloud firm;
- How transparent the cloud providers’ own security systems are;
- What access can the company get to the cloud provider’s data center and personnel to ensure the security system is in place and functioning and make sure it can undertake a risk assessment and design a response plan;
- Whether company customers have given approval for cloud storage of their data;
- What the cloud servicers’ responsibilities are to update their security systems as technology and cyber-attack sophistication evolves;
- How the cloud providers continuously monitor, detect, and respond to security incidents;
- What cloud logging exists and how long logs are maintained;
- How and when cloud data is destroyed;
- Whether cloud data could be subject to a litigation hold and what technologies allow for the cloud data’s perusal;
- What happens when a cloud company receives a subpoena or other request or is subjected to a search warrant from any government that involves the company’s data;
- What auditing is permitted of the security capabilities of the cloud company;
- What regulatory and privacy requirements apply to the PII, PHI, personal financial information, or other customer data within the cloud data;
- Whether the cloud firm and the company have any indemnification agreements or evidence of cyber insurance;
- Whether the company’s insurance policies cover losses from activities undertaken by the cloud service providers in the event of a cyber-attack;
- What types of pen testing are undertaken by the cloud firm; and
- What the specific details and efficacy of security policies and procedures of the cloud firm are.
Boards should also confirm that a company has a comprehensive means to prevent sensitive data from being uploaded to the cloud for inappropriate sharing, and the requisite visibility and access to detect anomalies, conduct further investigation and launch quick and decisive remedial action.
Along these lines, questions should cover technologies used to prevent the unauthorized use of cloud applications by employees; internal controls regarding any cloud applications used by employees; an incident response plan for handling an attack on any cloud application; and employee training concerning use of cloud applications.
Cloud-Based Filing Services
Cloud-based file-sharing services, such as Dropbox, Google Drive, Box, and others, are another way confidential information leaks out of a company – and have become an increasingly popular way to store, back-up, transfer and temporarily warehouse large data files.
Such cloud services often are used through personal accounts, despite many large companies prohibiting, as a matter of policy, the use of such services for these purposes. Some companies also block access to such services from the company’s systems (such as desktops, laptops, tablets, phones, etc.) with effective security controls, while other companies are less sophisticated or simply resist the notion of becoming the automated “data nanny” for their employees.
Boards should probe the company’s policies, practices and procedures regarding cloud-sharing services used by employees and confirm that the company maintains adequate and appropriate cybersecurity for the myriad of enterprise and personal cloud-service applications.
As companies expand, they must inevitably trust critical business operations to third parties for specialty services, especially those relating to technology. But while the influx of third party fintech, including cloud computing, can benefit companies exponentially, their integration also triggers additional costs and risks. By expanding and complicating digital ecosystems, IT outsourcing can increase vulnerabilities and weaknesses, thereby creating dramatic bet-the-company threats relating to cybersecurity and data management. Capital One is clearly learning this lesson the hard way.
For corporate directors, who have a fiduciary duty to understand and oversee cybersecurity, yet often have little if any, cybersecurity experience, there is no need to feel insecure. Given that just one successful attack can irreparably damage a company built on 100 years of excellence and hard work, who can blame board members for lacking confidence in how they are monitoring cybersecurity risk, both within the organization and especially among vendors. But cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.
Responsible boards of directors can begin by becoming more preemptive in evaluating cybersecurity vendor risk exposure, and endeavor to elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item, at the top of a board’s oversight agenda. Indeed, a recent Protiviti study shows that higher levels of board engagement with vendor risk management often leads to sufficient resource allocations to those programs. And, as might be expected, lower board engagement is often a characteristic of underperforming vendor risk management programs.
Good cybersecurity hygiene is good for business, it evidences discipline, maturity, integrity, dependability, reliability, trustworthiness and a whole lot more. By approaching cyber-risks of vendors with vigorous, skeptical, intelligent, independent and methodical administration and inquiry, boards will not just insure that company data is appropriately secure, boards will also make their companies more prosperous. My dad always preached that if you want success, start with your health. The same definitely goes for cybersecurity.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”