Paul Ferrillo is a Senior counsel in the law firm Weil, Gotshal & Manges LLP. He started his career as a securities and corporate governance lawyer. About three years ago, Mr. Ferrilo was asked to get involved in the cybersecurity area because he could see the threat to corporate America growing exponentially and that clients were in extraordinary need of plain English advice on how to handle this new and growing area of risk to their companies. Even more so, it was very unclear what governance practices and procedures were necessary in order to assess and deal with that risk because it was a multi-headed problem. In addition, he has a heavy practice in the cybersecurity area counseling companies and private equity funds dealing with cybersecurity risk and governance assessments, incident response and business continuity planning and training, as well as annual compliance examinations for regulated investment advisers and funds.
LIFARS: When did you start to first see the signs that the cybersecurity industry was growing?
Mr. Ferrillo: Given my historical involvement in the corporate insurance world, I have always touched upon cybersecurity and breach issues. But certainly more so in 2013, when Target got breached. It then because extremely clear, not only what a tremendous threat cyber attacks where, but the devastating effect that they can have on a corporation, its customers and investors. From there on, I have devoted a substantial amount of my energies making sure that to the best extent I am able that a cyber attack never causes devastating damage to one of our clients. The reality of this tremendous attack added up to about a $10 billion loss in market capitalization, a 40% loss in foot traffic in 2013, which amount to about a $500 million loss to Target, on top of whatever substantial amount of money it took them to clean up the damage from the breach.
LIFARS: As the industry continues to grow then, do you see the next year focused on cyber technical or tactical exercises? At what capacity?
Mr. Ferrillo: I see our world focused to tactical exercises and assessments. Companies understand the importance in incident response planning. Companies understand the need for business continuity planning, but with the trickle-down theory of cyber crime allowing more and more access to damaging cyber attacks, we have to turn our incident response teams into hunter mentalities, instead of malware reactors. We have to do more assessments than we are used to, such as compromise assessments and incident response assessments. I really do see the need for more hands-on work in order to train not just employees, but the incident response teams to do a much better job hunting offensively for problems, rather than just reactively addressing things that come to mind. Remember it takes, on average 205 days for a company to find out it has been breached. In that 205 days, a massive amount of damage can happen to a corporation. We have to knock that number down.
LIFARS: In your book, Navigating the Cybersecurity Storm, you give an overview and directions of where you think the evolution of cybersecurity Industry is headed in the next decade. Would you share with us a taste of your projections?
Mr. Ferrillo: Attackers have progressed so fast and are so smart, so intelligent that we have to realize that and come up with new and creative way to hunt down attacks and incursions and incidents and breaches. I see our world turning towards non-signature based intrusion detection systems, which are not just looking for a known bad signatures, but are looking for anomalous related activity, perhaps noting exfiltration of files off time periods. Those types of non-signature based anomaly detection systems are extraordinarily important. In fact you need these systems every day, given the recent trend of very substantial DDoS attacks. When an incident response team is dealing with those attacks somebody comes from the “backdoor” and implants malware on their system. We need to look at this system both apart and together to figure out when we are being attacked and how we are being attacked. There needs to be an improvement on actionable threat intelligence. Just reading the newspaper, blogs, etc. is not good enough for the very reason we are talking about DDoS attacks. We have to understand who our attackers are. What techniques they are using and how to discover those techniques. I am a big believer in Red Team, Blue Team exercises for that reason. The existing threat actors and vectors, played and implemented by the Red Team train the Blue Team incident responders to be able to find these attacks. We have to proactively hunt down incidents, helping our incident response teams hunt down potential breaches and really stop them before they can do any tremendous amount of damage. Today, with the events in Paris, I fear we are in for a new round of hackivists or ISIS attacks.
LIFARS: In this new world, where can we say the fault lies on us and when do we start taking responsibilities for what we are not doing? How do we start implementing things to assure we no longer are on the defense, but become offense?
Mr. Ferrillo: We need to communicate better, inside companies. The apparent trend of CISOs not talking to the C-Suite and the C-Suite not talking to directors, have left us in a pickle. There needs to be a better mode of communication. The second piece that I advocate constantly is that we have to come to a principle-based approach to cybersecurity, like using the National Institute of Standards and Technologies Cybersecurity Framework (NIST). It would benefit companies to adopt this framework in order to have discussions around it, to document those efforts, and to proactively show regulators, plaintiff counsel, investors and customers that we are truly paying attention to the status of security by having these important discussions, changing our tactics, and improving our cybersecurity posture. If we do it on a regimented or documented approach, we will be putting ourselves in a better position. Again assuming we are breached, somebody will have to show somebody has the eye on the ball.
Getting back to tactical cyber approaches…the 205 day problem that I referenced earlier, is a big problem and without doing a compromise assessment on your own, or vulnerability assessment , Red and Blue Team training, we are not taking proactive steps in knowing if we have been breached. The companies that take that proactive approach will be praised and those that don’t will be criticized. We do, however, have the NIST framework, which gives us the ability to prove through documentation network. Considering the problem or acting on the problems, we are making business judgements to the best that we can.
As far as, cybersecurity firms, they need to help educate clients that it is not just hardware that is Going to win it at the end of the day. It is taking proactive steps in order to dig in to a network to see if it has been breached or not. Not many clients understand the different types of assessments that can be done and this is where the education comes in. This is a tough job because some of this is certainly complicated. On the other hand, I would rather know first if I have been breached rather than having the FBI or US Secret Service telling me first.
LIFARS: From the legal aspect, how do you see legislation, federal and state, build a unified entity that protects privacy? In addition, what is the difference in amount of privacy rights across different regions?
Mr. Ferrillo: There are a number of Federal statutes involved depending upon which industry sector you are talking about. Each of the states have their own different privacy related statues, which would take hours to talk about all of them. We certainly have a great deal of privacy-type requirements. Then, if you are a multinational company, you’d build on international requirements under the UK or EU directives, as they expand.
I, personally, am Pro-cybersecurity and anti-terrorism. One wonders, whether the privacy push will lessen somehow when it is realizes that potential terrorist groups are using the Internet, encryption-related communications, in order to communicate their affairs. I cannot answer how the privacy stuff will shake itself out, however, there needs to be some middle ground between the stridency and between the safety and security of our country.
LIFARS: How do cyber-insurance and cybersecurity tactics come together to fortify and strengthen said security posture?
Mr. Ferrillo: Cybersecurity insurance has been around for a number of years. It has been called by different names at different times, but it really came into light in 2013, with the Target attack, where Target had $100 million in cybersecurity insurance. With the power of the attack, Target went through that $100 million quite quickly. For private equity and private companies, the cybersecurity insurance is an excellent resource to help transfer risk to a third party, In this case to an insurance carrier for a fair premiums. Where the cybersecurity industry can help is how to underwrite a cybersecurity risk or cybersecurity posture and awareness…a cyber breach can run into the tens to millions of dollars. Having that risk uninsured can be a terrible balance sheet drain on a company and one that some companies cannot afford. It is up to the risk-experts to work with their team to cover their bases and improve their security standing and insurance comes in to cover the losses the we assume will happen. There are two types of companies, one that have been breached and one that don’t know it.
Paul Ferrillo left on this note, “With cyber malicious toolkits for sale, stuxnet for sale, and DDoS attacks for sale, I see 2016 as being worse than 2015. With the trickledown theory of cyber criminality, I see more attacks – maybe not more wiperware attacks, but more attacks facing US Companies. Russia will continue to be a problem – Iran and Iraq will be bigger problems – and China will continue to problem.”. Contact Paul Ferrillo on the Weil’s Website or on LinkedIn.