China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?
While technical defenses might help stave off some attempted hacks, sooner or later a company will become a victim of cybercrime, and a contingency plan for communicating about the aftermath of an attack is critical for any organization. RANE recently reached out to several experts for their advice to companies for managing the flow of information and maintaining control of an organization’s reputation in the event of a breach.
The Initial Response
Ann Walker Marchant
“There’s a lot to gain or lose when you approach the equity you’ve built in your brand—and trustworthiness is part of the value of your brand,” says Ann Walker Marchant, CEO of The Walker Marchant Group. After a breach, an organization’s leadership must keep in mind all of the people who have placed trust in the brand. The impacted enterprise must convey that it is “willing to do whatever it takes to ensure you minimize risk to them,” she adds.
“You have to understand that it’s most important you’re communicating with your own people internally,” Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies, argues. Organizations should not allow internal stakeholders to learn about a crisis from external sources. “When your own people are finding out through press reports, it harms confidence within your [entire organization].”
“With a cybersecurity breach, you often don’t know what’s been compromised, at least at the very beginning,” Walker Marchant explains. Often, the best bet is to expect the worst. “You’ve got to assume they’ve got everything and act accordingly without appearing to create fear and panic with your internal and external audiences,” while simultaneously dealing with pressure from various audiences and stakeholders, Walker Marchant said.
Reaching Out to Regulators
A client update published by Debevoise & Plimpton LLP, titled “How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience,” states that Fortune 100 companies disclosed 20 “incidents of major data breaches or cybersecurity events between January 2013 through the third quarter of 2015.” Most of the affected organizations made initial public announcements via news reports instead of a current report on Form 8-K. Debevoise & Plimpton notes that companies that did go the Form 8-K route “most often did so where the breach involved customer financial information.” Organizations, the report’s authors add, “should also be mindful of selective disclosure issues and their obligations under Regulation FD.”
Debevoise & Plimpton also warns against the risk of disclosing incomplete information regarding a breach, noting that “the ‘known’ facts may represent a small piece of the cybersecurity risk mosaic, which can require significant forensic research to assemble.” Potential inaccuracies in any disclosure represent yet another risk for organizations.
Subsequent reporting of updated cyber risk factors were largely contingent upon how breaches were initially disclosed in periodic corporate reports. In annual reports that come after a material breach, the Debevoise & Plimpton report notes, many corporations “view their annual report as an opportunity to update and tailor risk factors more generally, and the occurrence of an intervening cybersecurity event provides fodder for such fine tuning.”
Differing Perspectives Within an Organization
Caution is important, although any delay in responding in a timely manner also presents a risk for targeted enterprises. At the outset of planning the response, Winans adds, “It is better to tell your constituencies what you don’t know than it is not to tell them anything.”
However, there are often conflicting viewpoints of how to act in the immediate aftermath. “The tech guys will weigh in and say the best thing the company can do is get a hold of the FBI and find all the things in the network that are screwed up so they can take action to fix it,” says Steven Bucci, a visiting fellow for special operations and disaster management at The Heritage Foundation. “But you’d be hard pressed to find any lawyers to give their leaders that advice; instead, they’ll say it will hurt the company’s bottom line, it’ll hurt the company’s stock, and it could open up the organization to claims by competitors. While all of that, frankly, is true, that leaves the organization as vulnerable as they were before the breach—and probably also in violation with the Securities and Exchange Commission, as well as open to potential lawsuits from customers or clients.”
Still, it’s understandable that a cautious approach may appeal to many who don’t want to create panic, or those who are simply conflicted over the best course of action, Walker Marchant says. On the other hand, any delay in crafting a measured public response can result in harm to an organization’s brand equity. “Stakeholders will want to know who knew what, when, and why didn’t you tell us?”
Winans says that a clear organizational response plan that involves upper management is crucial before a crisis. “The very first thing you need to do is create a team, a coordinating committee, that is made up of all the functional parts of the company—the C-suite, the CEO or COO. Ideally, it’s got to be the leader of the company that takes charge of the situation, and you have to have people from HR, legal, operations, IT and investor relations.” For a company that answers to a variety of regulators, it’s even more important to get people in different roles together.
“That’s a team that needs to meet every day,” Winans adds. And before an actual breach takes place, that same team should be practicing how they will respond to a worst-case scenario. Winans proposes a “flight school.” “We set up people to actually play out an actual scenario,” he says. “The whole thing is designed to feel like an actual crisis.”
Lessons of a Real World Response
The Sony Pictures hack is an instance where the company was a little more forthcoming, at least with law enforcement, because they had no idea who could be penetrating their systems so extensively. Nevertheless, they suffered serious criticism and ridicule for how poorly they guarded their network.
“Exactly what the breach entailed wasn’t clear at the very beginning,” Walker Marchant says. “It was death by a thousand knife wounds because it was that trickle-down approach, because every day was something different.” Lists of salaries, copies of unreleased films, and sensitive e-mail from senior leadership were also part of the data theft. Still, Bucci argues that “while they did get beat up pretty badly,” in the end “they got through it faster and with far more sympathy from the public by saying, ‘We got hammered.’”
As recent examples of flawed responses by organizations following cyber breaches highlight the risks of incomplete or inaccurate information, boards have one clear warning: Doing nothing is not an option. The age of instant communications and 24/7 media coverage ensures that very little in the cybersecurity universe can reliably remain under wraps for long—lessons that others have already learned the hard way.
“I think the biggest mistake is deluding yourself that you can contain this and no one will find out,” Winans says. “The fact is that very often the worst thing that can happen to a company isn’t a crisis situation. It’s how they respond to it.”
About the Experts
Steven Bucci is a Visiting Fellow for Special Operations and Disaster Management, as well as primary instructor in leadership, at The Heritage Foundation.
Debevoise & Plimpton LLPis a premier law firm with market-leading practices, a global perspective and strong New York roots.
Ann Walker Marchant is recognized as a preeminent strategist and counselor with more than 20 years of experience developing and leading wide-ranging initiatives for the White House and Fortune 100 brands.
Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies in New York, has 22 years of experience in journalism, 10 of those at The Wall Street Journal.
RANE is an information services and advisory company serving the market for global enterprise risk management. Learn more at www.ranenetwork.com.
Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.
The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is your outlook on the complexities of being an international company?
Joan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.
If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”
The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.
What questions should a board chair ask the chief information security officer [CISO]?
Barry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.
Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.
Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.
Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.