This interview has been published by Prabhjot Singh, Priyanka Karwa and The SuperLawyer Team
What inspired you to pursue a career in Cyber Security and Technology Law?
I have in most part of my career been engaged with leading industry verticals which are prone to high risk, BFSI being prominent amongst them. Risk management has been one of the primary focus for most senior executives in any form, be it operational risk, credit risk, compliance risk, security and fraud risks and so on. Given the fact that I have been a Banker and also spent a decade with technology coupled with a background in law, this only got better with changing digitization trends. Emerging technologies paved way for a deeper engagement that prompted me to move towards Cyber Law and Cyber Risk Management.
What challenges have you faced while working in this field?
As our risk advisory committee comprises of risk management professionals and domain experts from Insurance and technology, we undertook extensive research on modelling in Cyber Risk Assessment & Quantification. The initial years were quite enriching in terms of brain racking sessions on conceptualizing the idea.
Some of the challenges we faced were to identify the key points that could bring stakeholders from diverse industries on a common understanding of Cyber Risk Assessment, Quantification, pricing and claims management. Our key stakeholders are Insurers, Reinsurers, Breach Response Vendors, Cyber lawyers and Corporates.
Cybercat is an outcome of extensive research in Cyber Risk Modelling, Can you explain?
This is a non-linear model to quantify cyber exposure more accurately with a very “low error margin”. Organizations can undertake assessment and quantify cyber for catastrophic events, which will assist different stakeholders within the organization namely management, operations, legal, finance and technology to understand business impact and thereby mitigate risk with policy and technical measures or by way of risk transfer to insurers (Cyber Insurance). The model provides a mechanism to price Cyber risks for Insurance industry.
What do you consider to be the biggest challenge of Cyber Security and Technology Law?
An organization’s major challenge would be to ensure cyber security culture with a top-down approach across the organization. It is important to understand three principal components of cyber risk which is operational, reputational and litigation risks and ensure greater degree of compliance. The enterprise information security policy should be enforced, delegated and implemented in true spirit. The driving force behind any cyber security program is its leadership and it sets precedence for the organization. Cyber-attacks revolve mostly around the “human angle”. While technology may provide a pathway they have to be handled efficiently as cyber governance, risk and compliance play a pivotal role in addressing these risks.
What do you think are the most important skills needed to be successful in this field?
The field is wide open and there are many avenues today, most disciplines have branched out giving great opportunities . Some of the skills that are required for a career in this field are Cyber security engineering, Network security, incident forensics analysis, Data Architecture, problem solving skills and threat hunting analysis.
What advice would you give to someone considering a career in Cyber Security and Technology Law?
There will be a huge demand for candidates such as Cyber security specialists, Information security experts, Forensics experts, Privacy specialists, cyber insurance specialists, and Cyber dedicated lawyers in the coming years.
How have you seen the landscape of Cyber Security and Technology Law evolve over the years and what new opportunities it can bring for people in this field?
The quantum of cyber-attacks has leaped over the years exponentially. All countries throughout the world are focussed towards having a National Cyber Security policy and data protection laws. There are few countries that have exhaustive laws while some countries are yet to have comprehensive laws. The onus now shifts to corporates as measures are required for regulatory compliances without which having regulations is simply defunct. This again will bring plethora of opportunities to legal, Information security and technology specialists or those with techno-legal qualifications as corporates would need specialists to fulfil compliance requirements.
What do you mean by Strategic Cyber Risk Assessment? and How does C-level executives benefit from the Assessment?
Every organization today is in some state of fear of getting hit by a Cyber-attack, be it Malware, Ransomware or data exfiltration etc. While in most entities it is the technology that adheres to most of these technical processes it is important for the Senior Management to understand cyber and its impact to business. Cybercat provides C-Level Cyber Risk Assessment at a macro level for executives to get a broader view of Cyber Risk for their organization.
This will assist senior executives to get first-hand information about organization’s cyber posture and the monetary value at risk. This can further succour in the overall cyber program envisaged by the top leadership in making it a cyber resilient organization.
What do you think is the most important thing to consider when it comes to protecting a company’s digital assets?
Every organization should have an inventory of digital and physical assets and also have a tracking mechanism of inventories. There are a few things that should be part of mandatory company Asset and data protection policies such as protection of digital assets, viz, password management, Multi factor authentication; Role based access, Encryption and back-up of data. Centralized digital asset management is also used by industry to manage digital assets.
What are some of the easiest ways of conducting litigation and risk assessment?
There are multiple ways of conducting Risk Assessments remotely, let me differentiate between Cyber and Non-Cyber Risk Assessments.
The Cyber or Technology Risk is assessed through the Cybercat©™ platform. The platform itself is a robust internationally validated risk model and proprietary software (Registered and copyrighted) that has been written around the risk platform. This provides a completely automated report for not just assessment, but also quantification in INR/$ terms and recommendations for risk mitigation and improvement. As the assessment is generated on real time basis it would be ideal to run the assessment either on quarterly or trimester basis in order to map the dynamic risk profile. This will cover operational, reputational, legal and technical risk Assessment.
The other forms of assessment which are core technical would comprise of Vulnerability Assessment and Penetration testing and Red team assessments.
Non Cyber or Non technology risks have a different objective as they deal with Directors and Officers Liability, Crime Insurance and Professional Indemnity and Contract Risk. They would also need a detailed ERM (Enterprise Risk Management) with specific questionnaires crafted around the key areas to understand the time value of legal dispute and probable loss estimates.
According to you, what are the most important steps a company should take to ensure its Cyber Security and Technology Law compliance?
Here are couple of key steps that I can think of:
- There is an impending need for a strong leadership focus on cyber security.
- An organization has to drive the cyber security change to create greater awareness and a sense of responsibility amongst their human resources.
- Organization should have a greater understanding of their systems, network and data and undertake Business Impact assessment to guard against risks and quantify damages.
- Organizations should evaluate their existing versus newer technologies and put a layered protection to combat cyber-attacks.
- Organization should consider frequent assessments to find the vulnerabilities and take mitigation actions.
- The legal team should be proactive in determining the risks related to their organization’s business profile.
- Last but not the least having a Cyber Risk mitigation plan is inevitable for all organizations to not just understand risk but also to take measures to bring down cyber incidences.
Lastly, any 5 best pieces of advice for our young law professionals?
Today’s young law professionals are so dynamic that they don’t need any advice. Yet here are a few things which I suggest out of my experience:
- Law is an ever changing field and hence one needs to be an all-rounder.
- Law professionals should look at widening their horizon during their academic stint besides trying to acquire practical knowledge through internships all through the course.
- Law professionals should keep track of multiple sectors and understand the changes that are happening in each sector. While one need not be a specialist in everything, but keeping tab of things always helps in creating niche area of practice over a period of time.
- As there is no perfect solution for anything and only possible options one should ideally think from a future point of view and visualize possible solutions.
- Young lawyers should ensure to write good legal pieces and publish them in reputed law journals to add credibility and value to their profile which will go a long way in building and establishing their reputation as a subject matter expert over years.
Get in touch with Vijayanand Subramaniam-