The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Insider Risk

  • From Vol. 4 No.26 (Aug. 22, 2018)

    Protecting Against the Security Risks of Departing Employees

    Companies should always be vigilant when it comes to insider threats, but they should be extra cautious when employees are preparing to leave. Whether the departure is voluntary or acrimonious, companies should have effective policies in place and be prepared to take protective actions at a departure announcement, the time of departure and during the weeks that follow. Mike Pappacena, an ACA Aponix partner for cybersecurity and risk, spoke to The Cybersecurity Law Report about how organizations should protect themselves against data and trade secrets walking out the door with departing employees. See also “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Beware of False Friends: A Hedge Fund Manager’s Guide to Social Engineering Fraud

    Cybercriminals are increasingly relying on social engineering to attack corporate systems. Certain types of companies such as hedge funds are particularly vulnerable, given that they typically lack extensive in-house cybersecurity expertise, deal with large sums of capital and have relationships with powerful clients and individuals. Social engineering fraud poses a number of risks to fund managers. Fortunately, managers can mitigate these risks by training employees, instituting multi-factor authentication, adopting verification procedures, limiting user access and monitoring cybersecurity regulations. In addition, managers are increasingly able to rely on insurance to cover social engineering fraud losses. In a guest article, Ron Borys, senior managing director in Crystal & Company’s financial institutions group, and Jordan Arnold, executive managing director in K2 Intelligence’s New York and Los Angeles offices and head of the firm’s private client services and strategic risk and security practices, examine the risks of social engineering fraud, how fund managers can prevent it and how insurance policies can be used to protect against related losses. See also ­­­­“What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).  

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    Effective and Compliant Employee Monitoring (Part Two of Two)

    Experts agree that network monitoring is a critical proactive cybersecurity measure. But complexities arise that require cross-department coordination and deep understanding of numerous privacy limitations and other legal requirements. The second installment of this two-part series provides operational guidance on implementing monitoring programs and navigating contrasting rules in Europe, as well as issues surrounding individual monitoring, monitoring for non-security purposes, and data controlled by third parties. The first part tackled the role of data monitoring, effective notice, legal considerations, and specific policy considerations. See also “Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Effective and Compliant Employee Monitoring (Part One of Two) 

    When can companies “spy” on their employees? Monitoring data systems and employee digital activity is critical to reducing the significant cybersecurity risks that employees pose (either inadvertently or maliciously), but companies do need to make sure they comply with consent and other legal requirements when implementing surveillance programs. This first part of a two-part series on the topic addresses the role of data monitoring, effective notice, legal considerations, and specific policies regarding BYOD, termination and remote employees – including stories from the trenches. Part two will provide operational guidance on implementing effective and compliant monitoring programs, and discuss privacy concerns in different types of employee surveillance, including the contrasting rules and approaches in Europe. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    A Real-Life Scenario Offers Lessons on How to Handle a Breach From the Inside

    Picture this data breach scenario: A company’s customers discover that their online account details have changed. They later realize that their bank account details had also been changed, and refunds due to them were fraudulently transferred to another bank account. What is the best way to proceed with the investigation, especially after law enforcement’s trail has gone cold? How can the company enhance its cybersecurity going forward? This scenario, which involved an employee stealing data, was analyzed in the 2017 Verizon Data Breach Report. We discuss how the company handled the scenario and the lessons it learned, with input from BDO managing director Eric Chuang. See “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Cybersecurity Due Diligence in M&A Is No Longer Optional

    The heightened importance of cybersecurity in the corporate environment has made it vital for potential acquirers to assess the IT systems of target companies to determine their value and risk. Despite an increased awareness of the importance of cyber due diligence, many companies lack the proper personnel to conduct thorough analyses, according to a new study by West Monroe Partners and Mergermarket that surveyed top-level corporate executives and private equity partners about their companies’ practices. The results provide a window into the trends that shape the diligence process, as well as insights into the ways it can be improved. We summarize the study’s key findings. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Procedures for Hedge Fund Managers to Safeguard Trade Secrets From Rogue Employees 

    In an era when high-profile data theft cases have shaken some people’s faith in the security of personal information entrusted to fund managers, it is critically important for firms to take steps to detect, prevent and address such thefts by rogue employees. This is of particular urgency for hedge fund managers now that the SEC has stepped up its focus on cybersecurity. Data security and the measures that can help safeguard trade secrets and sensitive information were the focus of a recent Hedge Fund Association panel discussion featuring participants from the law firm Gibbons, the litigation consulting firm DOAR and the hedge fund Litespeed Partners. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Using Data Analytics to Combat Internal Cyber Threats

    Insiders with authorized access and malicious intent to misappropriate company data present significant threats to the protection of valuable information. EY senior manager Paul Alvarez and executive director Alex Perry recently spoke with The Cybersecurity Law Report about strategies and specific tools companies can use to analyze available data – such as employee behavior (including behavior on social media) and audio information – to identify and protect against these threats. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015) and “Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program” Part One (Feb. 17, 2016); Part Two (Mar. 2, 2016); and Part Three (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements

    The growing number of individuals working remotely, telecommuting or traveling with increasing frequency has challenged the traditional business cybersecurity model. With the advent of new technologies that support remote working arrangements, the secure, clearly defined perimeter many organizations once enjoyed has become a bit less distinct. The Cybersecurity Law Report spoke to Heather Egan Sussman, a privacy and data security partner at Ropes & Gray, about the privacy and security implications for employees working remotely, both in the U.S. and abroad, and proactive measures companies can take to ensure proper protections are in place and that they are compliant with the relevant laws. See also “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies”: Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read Full Article …