Early May, 2017, 10 new episodes of the popular Netflix Original show “Orange is the New Black” were leaked as a result of an attack on the streaming service’s post production company, Larson Studios. This breach and act of extortion further exposed a critical chink in enterprise cybersecurity that will continue to be a cause of similar detrimental cyber breaches if appropriate measures are not taken to defend against them. Although investors are rallying behind Netflix at the moment, a breakdown in cyber risk management and oversight could be devastating to its market cap in the future. It’s high-time enterprises large and small acknowledged the massive risk cyber poses to their businesses through direct and in-direct channels.
Netflix likely has some of the most advanced cybersecurity defenses in the corporate world, as it is expected to protect the original content that drives its revenue model and relies on big releases to support customer interest and returns. However, vulnerabilities in third party partners pose just as big a threat to cyber defense systems and can result in the loss of proprietary property, as seen in this case with Netflix and Larson Studios.
The FBI reportedly learned of the theft at Larson Studios in January and waited until a month ago to bring the involved companies into the loop. Early reports stated that “security experts aren’t surprised by the incident, even as details about it still emerge. That’s because many have been warning of weak security at third-party vendors for years.” Despite these early warnings, the leadership at Netflix and other content producers had not acted to ensure third parties in the production ecosystem had established policies to protect from breaches.
This breach should be a wake up call for enterprises that haven’t yet acknowledged or addressed the risk posed to their infrastructure through third party vendors or partners. Cyber defenses will not hold up to the growing weight of internal and third party vulnerabilities if C-suites and boards do not begin implementing a cyber-conscious culture – from the top down. It is no longer enough to leave security solely to the IT staff, and it’s now widely understood that cybersecurity isn’t just an IT problem – it’s a business problem. Board members and the C-suite must take a much more active role in making cyber risk mitigation part of the company’s enterprise risk management strategy, and consider it part of their fiduciary duties. This includes requiring third party partners to align with the same cybersecurity standards as their own company, and making that a nonnegotiable when determining vendor contracts.
Effective cyber risk management boils down to three important mechanisms: people, processes and policies. Management teams must recognize that cyber risk is part of their enterprise-wide risk posture, and having sound policies and processes, along with training of employees, will improve their cyber maturity and mitigate susceptibility to costly breaches. Working with third-party vendors is part of that process, as well as ensuring that people at all levels of the organization are properly trained to recognize and deal with attempts to breach security.
But what happens if a breach does occur? Cyber terrorism has become a rising concern of late, and the growing magnitude of high-profile breaches is proof of that. Cybercrime is one of the only instances where the cost and liability falls on the “victim,” namely members of the board, and it is important to protect the BOD, management, and company from liability wherever possible.
Cyber insurance is relatively new and it can be expensive, but consider this: What is the cost of losing the intellectual property or data that supports your company’s core business model? Liability in the event of a cyber breach can be lessened if the company can prove it was doing everything it could to assess and mitigate potential risk using an industry standard like NIST’s Cyber Security Framework as a foundation. The SAFETY Act from the Department of Homeland Security also offers some immunity from liability in certain circumstances, and using DHS-approved software provides a strong rationale for dismissing derivative suits against management.
While cyber insurance is a beneficial investment to help mitigate financial liabilities, it does not wholly protect the company from the reputational ramifications related to cyber breaches. It is the duty of an entire enterprise – from entry level personnel to the C-suite – to ensure they are informed and prepared to defend against both internal and perimeter threats that can result in the depletion of a company’s financial and reputational integrity.
Managing risk is the fiduciary duty of boards and officers, and cyber risk is a form of enterprise-wide risk that top management must take much more seriously. Netflix may have dodged a bullet if their valuation holds after this incident, but this should be a lesson to companies in all verticals and industries that a massive threat exists in the form of third party partnerships. Management and directors are now tasked with taking the steps needed to prevent future cyber extortion, and it starts from the inside, out.