Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cybersecurity counsel at the law firm of Newman DuWors.

Kip Boyle: This is a show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors, LLB. If you have questions about your cybersecurity-related legal responsibilities ...

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You could find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So, Kip, what are we going to talk about this morning?

Kip Boyle: Well, it's our first episode of the podcast so why don't we tell everybody who we are and what we do? So, I'll go first. As you know from the introduction, I'm the founder and CEO of a company called Cyber Risk Opportunities. We're going to turn three years old here pretty quickly, so we're pretty excited about that. Our mission is to help executives become better cyber risk managers. That's what we do.

Kip Boyle: How about you, Jake?

Jake Bernstein: My mission is to provide legal advice regarding cybersecurity in general and privacy laws around the nation. Today is May 24th and is the day before GDPR Day. That is a big moment in security and privacy law around the entire world, so it's a good time for us to be introducing ourselves.

Kip Boyle: Jake and I have done some work together. We have some customers in common, and have provided cyber risk advice and counsel under attorney-client privilege. We're going to talk about why that might be useful if you're a cyber risk manager.

Kip Boyle: But I wanted to take a moment and talk about why do I do this. I've been working in the field of cybersecurity now for over 20 years, hard to believe, because 20 years ago, the internet really wasn't a thing for most people 20-plus years ago.

Kip Boyle: I got my start when I was in the Air Force working on some weapons testing projects. I didn't set out to become a cybersecurity expert, but I had to learn computer security and network security as part of my job. So when the internet showed up and I left the military, it turns out there was plenty of work for me to do. Since then, I've worked in a lot of different industries, and I've helped many executives manage their personal cyber risks and their organizational cyber risks.

Kip Boyle: You know, Jake, what I love about my work is these are very smart people and they have a hunger to learn what's cyber risk and how can they tame this new risk area. I know it's been around for a while now, but compared to a lot of business risks, this is a pretty new area. The executives are capable of learning what to do, but they struggle, I think, in part because they perceive it as being a highly technical area. It is, to some degree, but I certainly don't think they need to become technical wizards in order to be able to work in that space.

Kip Boyle: But what's your experience, Jake?

Jake Bernstein: My experience is I also did not set out to become a cyber risk or cybersecurity attorney or expert of any kind, really. I kind of fell into it. I always enjoyed playing around with computers, and I had a friend who had a home LAN back when having a home LAN was a very unusual thing to have.

Kip Boyle: Oh, you mean a local area network?

Jake Bernstein: A local area network, yes, back in the mid-'90s.

Kip Boyle: Yeah, that was rare. I bet I know what that looked like.

Jake Bernstein: Yeah, it was a lot of cabling all over the place.

Jake Bernstein: But I started my career at the Attorney General's Office for the state of Washington. I was working in the Consumer Protection Division in the high-tech unit where I focused on protecting consumers against online fraud and scams and things like that.

Jake Bernstein: Over the years, it quickly became more and more about privacy and security. Everything from the malware and what we called scareware to rather egregious privacy violations from really all over the place with data tracking, a loss prevention system that was really just one of the worst forms of literal spyware on people's computers and take pictures of you without your notice.

Kip Boyle: I think a school somewhere actually used that for a while to bad effect.

Jake Bernstein: Yeah, and this particular case was a rent-to-own company.

Jake Bernstein: But at any rate, during my time at the AG's Office, I really kind of fell in love with the area and how impactful it could be. So when I was invited, still with the AG's Office, to come to the Secure World Expo, I went. I felt like the token government lawyer. I knew nothing really about security proper, but that was five years ago. Today, I have quite a bit of experience. We've worked together for the better part of two-and-a-half years, which is almost your entire corporate history and almost my entire private practice history at this point.

Jake Bernstein: I agree with you. I find that this is an area that people tend to worry about without really understanding what it is they're worrying about. I think one of the most fascinating aspects of it is that, as technical as it seems, it's got legal facets, it's got management facets, it's got human resources facets. It's really a very broad ... It's a true team sport, and I really enjoy helping companies and my clients work through this, make themselves safer. And, as you're fond of saying, because we're all foot soldiers in the cybersecurity war, really helping our clients helps make everyone else safer as well. It's kind of a herd immunity effect that we get.

Kip Boyle: That's right.

Jake Bernstein: I just find it to be a very rewarding. So much so that I spend a bunch of time and effort to become certified as a information security service professional which, for a lawyer, is pretty unusual.

Kip Boyle: I don't think there are many lawyers out there that have a CISSP. Well, I think one time you told me it was like less than a dozen in the United States?

Jake Bernstein: Well, I think it's up to about between 30 and 40, but not many.

Kip Boyle: No.

Jake Bernstein: I mean considering the number of lawyers in the country, that's a minuscule number indeed.

Kip Boyle: That's right. I think that's a good kind of a barometer, if you will, about how nascent cyber risk is in the legal community. But I think we're also seeing signs that it's starting to become a very important topic, and so, we could expect to see more CISSP attorneys. Like you need to go to more school, right?

Jake Bernstein: Exactly. I think you're right. The world has really changed a lot in 20 years in terms of what it means to be secure. It used to be that this stuff, only the military really worried about this 50 years ago, 40 years ago, 30 years ago.

Kip Boyle: Or the NSA.

Jake Bernstein: Well, I will lump them in with the military, in a sense, but the intelligence agency is the military's and maybe very specific certain types of industries like telecommunications. They're the only ones that thought this was a big deal. Now, these cyber attacks are so common that I believe I saw an article that Visa's or MasterCard's cybersecurity team has no budget.

Kip Boyle: Which isn't to say they have no money.

Jake Bernstein: Which is to say quite the opposite. They have as much money as they need.

Kip Boyle: That's right.

Jake Bernstein: This is a situation where no budget means it's actually not zero. It's a blank check.

Kip Boyle: Of course, in my history, no budget means zero money.

Jake Bernstein: Oh, and for a lot of companies, it still does mean zero money.

Kip Boyle: Especially in the middle market and small business.

Jake Bernstein: I believe I saw, too, that one of the major banks, they're setting up war rooms, which sounds like a military term because it is. It is a military term. What's so fascinating is I think it was something like 20 million attacks to-date in 2018. That number is astounding. If you think about the history of, for example, bank robberies ... This is a theme that you and I have used before in talks. Their problem would have been 20,000 armed bank robberies in the last 100 years, yet you're talking about 20 million cyber assaults on our financial institutions inside of six months.

Kip Boyle: That's one of the things that I'm really excited about with our podcast is we're going to be talking to our listeners about why does a bank need a war room? Why are there 20 million attacks coming at them? Helping them understand why does Kip say that we're all foot soldiers in the cyber wars right now? What does that mean?

Kip Boyle: I think what we're seeing and what we'd like to share with our listeners is from where we stand at the intersection of technology and business and the legal world, we're seeing some amazing things happen right now that can help to explain why has the world changed and how will it continue to change with respect to cyber risk.

Kip Boyle: One of the things that the movies and newspapers would have us believe is that cyber risk is all about downside. But what we've experienced and what we want to share with our listeners is that cyber risk actually can happen upside as well, right? Jake, we've talked about that.

Jake Bernstein: We have. Cyber risk it can be a real business differentiator. If you're a vendor and you make cyber risk management a priority, you're going to be in a very good position when you get questionnaires and what we call a supply chain risk management activities coming from your customers. This is happening all the time. You and I just met with a new client last week about this.

Jake Bernstein: Nobody can avoid it because as we learned from, for example, the Target breach, your attack vectors can come from many different directions. The threats are everywhere and in Target's case, the bad guys came through essentially the air conditioning. That's a risk that previously had not been well identified.

Kip Boyle: Supply chain management is huge for very large companies. So, if you're a middle market company or a small company and you're doing business with very large companies, then if you haven't seen this kind of supply chain pressure on you yet, you will.

Kip Boyle: I also think that that pressure will continue to increase. What that means is that you've got to have a great cyber risk story. Should something go bad and you ended up in front of a regulator, or what I call the court of public opinion as Equifax recently did, or even in the court of law which is Jake's territory, you've got to have a really compelling case, a really great story to tell about why you were not negligent, even though something bad happens.

Jake Bernstein: You sound like a litigator, Kip, because cases really do come down to stories. If you'll watch TV and movies, legal thrillers and things like that, you may have an impression that oftentimes these cases are inaudible lost on "technicalities." While that certainly happen in the civil arena, particular with regulation that you see around the cybersecurity and privacy requirements, it really is rarely a "technicality" that's going to win or lose your case. Instead, it's what kind of story can you tell about what you've done.

Kip Boyle: And not a lie.

Jake Bernstein: Not a lie.

Kip Boyle: We're not saying you're going to tell a lie.

Jake Bernstein: No, this is not a lie. Because here's the thing, is that your story has to be backed up with facts.

Kip Boyle: With evidence and testimony and-

Jake Bernstein: And evidence and testimony and it's going to be painfully obvious to the other side, to the judge and to the jury if you're making stuff up on the fly.

Jake Bernstein: One of the reasons that you and I work together is that because the risk of legal liability is so high with respect to cyber risk management, it's extremely wise to measure, score and mitigate your own cyber risks under attorney-client privilege. That is actually one of the major services that we offer.

Kip Boyle: That's right. So not only can an executive understand their cyber risk, and then, manage it thoughtfully and intelligently, but they can do it with the protection that would allow them to determine whether they wanted to disclose in the case of a regulator or in a court how much of my cyber risk management program do I want to share? In an era of e-discovery, this is a very powerful shield that an executive can have over their program.

Jake Bernstein: It is, and it goes to the history of the attorney-client privilege. It's literally about where the bodies have been buried, and now, that would be, if you're talking homicide that's a criminal matter. But in our field, there may very well be the proverbial bodies that are buried, largely oftentimes within IT departments that may not want to share the fact that there are bodies buried in the backyard.

Kip Boyle: There's no case, right?

Jake Bernstein: So doing it under attorney-client privilege allows you to open up without fear of that information getting out and potentially making you look really bad, either in the court of public opinion or a court of law.

Kip Boyle: Exactly. Okay. So that's who we are, that's what we do. We're hoping you, our listeners, that you're going to stick around because we're going to be releasing a whole series of episodes coming up that are going to dive deeply into all of this. Do it in a way that respects the technology here at play, but isn't going to weigh us down with a lot of technological jargon. We're not going to try to teach you how to build networks or anything like that. We're going to keep this at an executive level, this conversation that we're going to have. We hope that you're going to be a part of it, so thanks for joining us today on the Cyber Risk Management Podcast.

Kip Boyle: Thanks, everybody, for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management schools should create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You could find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.