United States: Lessons From The New York ATM Heist

The announcement yesterday of charges in New York against eight members of a cybercrime ring that stole $40 million from ATMs in 24 countries, all within 10 hours, is the latest in a series of episodes that illustrate the constant threat of cyber attacks against our corporate networks. This case should be a wake-up call to anyone who underestimates the sophistication and determination of today's cyber-criminals. Now more than ever, hackers in different countries can collaborate across borders and time zones and despite language barriers, just as easily as if they were in the same room. They can orchestrate and execute highly sophisticated, complex criminal schemes that involve coordinating the actions of associates around the globe.

For victim companies, the results can be devastating, including financial losses, heavy remediation costs, and reputational harm. But it doesn't stop there, because the companies can also face regulatory proceedings and litigation for years to come.

Every company with a network to protect – which is to say, every company, anywhere – should look at the New York case as a reminder to review its own breach preparedness. That means more than just network security. It also means ensuring that contracts with business partners address liability for data security, and that insurance coverage is appropriate. It means ensuring that the company is in compliance with applicable legal requirements for processing, storing, and securing data. And it means having an incident response plan in place, and testing that plan, before a breach occurs.

This type of comprehensive review of information governance and data security is the best way to mitigate the risks of harm from a breach. And in the event a breach occurs, demonstrating the steps the company took to prevent and prepare for a breach will be a critical part of the company's defense in enforcement proceedings and litigation. The best defense later is a proactive defense now.

Kudos to the prosecutors from the Eastern District of New York and their partners in the Secret Service and ICE for their work in this case, which no doubt continues as they pursue the hackers who masterminded the scheme.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.