Understanding Cybersecurity Due Diligence

Rarely does a day go by in which some variety of cyber attack is not front-page news. From Ashley Madison and the U.S. Office of Personnel Management to Sony, Saudi Aramco, and the Ukraine crisis, cybersecurity is increasingly taking center stage in diverse arenas of geopolitics, international economics, security, and law. But despite the increasing proliferation of these incidents, the field of international cybersecurity law and policy remains relatively immature, especially as it relates to cybersecurity due diligence.

What is cybersecurity due diligence? The term has been defined as "the review of the governance, processes and controls that are used to secure information assets." Such due diligence obligations may exist between states, between non-state actors (e.g., private corporations), and between state and non-state actors.

International law, while informative, does not spell out how nations (or companies under their jurisdiction) should go about enhancing their cybersecurity to account for emerging due diligence obligations. There's currently no consensus from the International Court of Justice or elsewhere, for example, on when neutral transit countries must police their networks such as by blocking cyber attacks. As a result, it's helpful to consider what leading nations and firms are doing in this regard. To that end, we analyzed how three leading cyber powers--the U.S., China, and Germany--are approaching this topic. The result is a first-of-its-kind due diligence matrix, available here.

This matrix is not meant to be the last word on the topic of cybersecurity due diligence between these nations; rather, it is only meant to provide a snapshot and hopefully jumpstart a larger conversation about what the rights and responsibilities of nations are in this arena. To inform that discussion, it is also critical to consider the private-sector approach to due diligence.

Jason Weinstein, former deputy assistant attorney general at the U.S. Department of Justice, summarized the issue of cybersecurity due diligence succinctly when he said: "When you buy a company, you're buying their data, and you could be buying their data-security problems." In other words, "[c]yber risk should be considered right along with financial and legal due diligence considerations." Already a majority of respondents in one 2014 survey reported that cybersecurity challenges are altering the M&A landscape, while eighty-two percent said that cyber risk would become more predominant over the following eighteen months.

A majority of surveyed firms also said that a cyber attack during the M&A negotiation process could scuttle the deal, which is a concern given the range of serious cyber attacks coming to light on a regular basis in an era of increasing mergers. Managers now considering what form cybersecurity due diligence should take have a wealth of resources (as well as a growing array of compliance obligations) to consider. These include, in the U.S. context, the NIST Framework, as well as guidance from the Securities and Exchange Commission, National Association of Corporate Directors, and the PCI Security Standards Council. Together, these frameworks, and others, provide the beginnings of a cybersecurity due diligence standard guiding judges as they work through causes of action such as breach of fiduciary duty and negligence resulting from data breaches.

Despite some progress, there is still a long way to go to enhance private-sector cybersecurity due diligence, including in the M&A context. Freshfields Bruckhaus Deringer, a global law firm, for example, conducted a survey in which they found that "78 per cent of global respondents believe cyber security is not analysed in great depth or specifically quantified as part of the M&A due diligence process, despite 83 per cent saying they believe a deal could be abandoned if previous breaches were identified and 90 per cent saying such breaches could reduce the value of the deal." Similarly, only 39 percent of respondents "say they make cyber security policies . . . a condition precedent that is addressed prior to completion" of a transaction. In other words, despite growing recognition as to the scale and scope of the multifaceted cyber threat facing firms, many remain predominantly reactive. In order to improve the status quo firms must leverage proactive cybersecurity best practices ranging from risk-based data management to minimizing the danger of insider threats through meshing corporate and human resources policies and reviewing the cybersecurity track records of vendors and potential partners.

The end result of all this is that, according to our study and others, there is a push among IT professionals to go beyond mere due diligence and move toward the use of real-time analytics and other cybersecurity best practices to monitor vendors' systems. The lesson here is constant vigilance, e.g., letting an initial process of cybersecurity due diligence be the first, and not the last, word in an ongoing proactive and comprehensive cybersecurity policy that promotes cyber hygiene along with the best practices essential for battling advanced threats. Such a policy should be widely disseminated and regularly vetted as part of an overarching enterprise risk management process, along with having an incident response plan in place that includes private and public information sharing mechanisms.

Over time, as legal harmonization progresses, there will be more opportunities to build out cybersecurity norms, including due diligence. Already, a number of national governments, and even some companies such as Microsoft, have released lists of draft norms for stakeholder consideration. Given both the rich cross-pollination of cybersecurity best practices and the cyber threat posed by a huge range of attackers, conceptions of cybersecurity due diligence should be gleaned from existing international law but built out through a review of industry norms that are in turn informing national policies. Achieving some measure of cyber peace requires the active involvement of public and private stakeholders. It may be time for more international lawyers to reach out to CISOs, and vice versa.

Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy, sustainability, and international business law among other courses. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at Stanford University's Hoover Institution, and a term member of the Council on Foreign Relations. For a full version of this article, see Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, available here.