Rarely does a day go by in which some variety of cyber attack is not front-page news. From Ashley Madison and the U.S. Office of Personnel Management to Sony, Saudi Aramco, and the Ukraine crisis, cybersecurity is increasingly taking center stage in diverse arenas of geopolitics, international economics, security, and law. But despite the increasing proliferation of these incidents, the field of international cybersecurity law and policy remains relatively immature, especially as it relates to cybersecurity due diligence.
What is cybersecurity due diligence? The term has been defined as “the review of the governance, processes and controls that are used to secure information assets.” Such due diligence obligations may exist between states, between non-state actors (e.g., private corporations), and between state and non-state actors.
International law, while informative, does not spell out how nations (or companies under their jurisdiction) should go about enhancing their cybersecurity to account for emerging due diligence obligations. There’s currently no consensus from the International Court of Justice or elsewhere, for example, on when neutral transit countries must police their networks such as by blocking cyber attacks. As a result, it’s helpful to consider what leading nations and firms are doing in this regard. To that end, we analyzed how three leading cyber powers—the U.S., China, and Germany—are approaching this topic. The result is a first-of-its-kind due diligence matrix, available here.
This matrix is not meant to be the last word on the topic of cybersecurity due diligence between these nations; rather, it is only meant to provide a snapshot and hopefully jumpstart a larger conversation about what the rights and responsibilities of nations are in this arena. To inform that discussion, it is also critical to consider the private-sector approach to due diligence.
Jason Weinstein, former deputy assistant attorney general at the U.S. Department of Justice, summarized the issue of cybersecurity due diligence succinctly when he said: “When you buy a company, you’re buying their data, and you could be buying their data-security problems.” In other words, “[c]yber risk should be considered right along with financial and legal due diligence considerations.” Already a majority of respondents in one 2014 survey reported that cybersecurity challenges are altering the M&A landscape, while eighty-two percent said that cyber risk would become more predominant over the following eighteen months.
A majority of surveyed firms also said that a cyber attack during the M&A negotiation process could scuttle the deal, which is a concern given the range of serious cyber attacks coming to light on a regular basis in an era of increasing mergers. Managers now considering what form cybersecurity due diligence should take have a wealth of resources (as well as a growing array of compliance obligations) to consider. These include, in the U.S. context, the NIST Framework, as well as guidance from the Securities and Exchange Commission, National Association of Corporate Directors, and the PCI Security Standards Council. Together, these frameworks, and others, provide the beginnings of a cybersecurity due diligence standard guiding judges as they work through causes of action such as breach of fiduciary duty and negligence resulting from data breaches.
Read the full piece at The Huffington Post.