Follow ACC Docket Online:  

After Brussels, Take Stock of Your Disaster Preparedness Plan

G

eneral counsel are tasked with managing risk. Sometimes this comes in the form of regulatory compliance, litigation preparation, or data breach readiness. Other times risks to your global organization are unforeseeable bolts from the blue — natural disasters, financial crises, or acts of terrorism. The recent terrorist attacks in the Brussels airport and metro system weigh heavily on the mind, as they starkly remind us that no city is immune to the threat of violence. Police officers on the train and multiple levels of security at airports everywhere may be a comforting show of security, but they also remind traveling professionals of the inexorable threat they faces in simply using the infrastructure of business.

Diligent risk management means taking into account 'black swan' events — things that are incredibly unlikely, to the point of omission from your models, yet so damaging that they merit consideration. This is the same school of thought that drives NASA to spend large sums of money searching for wayward, potentially Earth-bound meteors. Unlikely, yet astronomically dangerous events should figure in your calculus, albeit in a manner that is proportional to their expected risk quotient.

In the wake of the Brussels bombings, general counsel will be reminded to refresh their active risk management plans, even if the possibility of an attack remains remote. Disasters and mass violence have broad-based effects on business which extend far beyond those effected. Even if terrorism is random, it is nevertheless a risk that can be planned for. The 2003 ACC Docket article, "Terrorism Risk Management Strategies for Businesses," merits a read­­.

According to the article, a sober security risk assessment requires at least three components: threat, vulnerability, and effect. From the article, "Threat refers to what the group or individual can do to harm your company, and part of assessing that threat is to look at the motivation and capability of terrorists in general or a particular group that you think may want to attack your company. Keeping in mind your findings from your threat assessment process, you need to then take the next step of considering where security vulnerabilities lie." Finally, "In business terms, you need to understand the potential effect of each threat upon continued activity. You should then design your company's security plan to counteract those threats and to most rigorously protect processes that are critical to your company's success and survival."

The article also provides tips on how global businesses can actually aid in the fight against terrorism, since they are participants in the interconnected worldwide financial system:

  • Routinely screen all new staff to confirm background data.
  • Undertake due diligence on all partnerships and suppliers, especially in high-risk markets.
  • Implement extra financial controls in high-risk markets.
  • Retain communications records as long as allowed by local law.
  • Pursue prosecution of illegal use of brands and counterfeiters, who potentially feed money into terrorism.
  • Establish effective liaison with law enforcement and report activity of interest to them.

ACC's 2008 InfoPAK, "Homeland Security," also includes a detailed overview of management's responsibility with regards to terrorism, disaster recovery strategies, and a guide to compliance with international and domestic law.

Another long-term effect of terrorism afflicting our transportation systems is the stepped-up 'security theater' which invariably follows attacks. A 2009 Docket article, "What International Travelers Should Know About Border and Airport Electronic Equipment Searches" breaks down precisely how to navigate these pitfalls, especially when carrying valuable business electronics and equipment.

Finally, not all attacks are physical. General counsel are increasingly concerned about data security, both with regards to hacking for IP theft or corporate sabotage, or data theft and the myriad of dangers following a breach. Top legal officers should be aware of organized and well-funded groups that may attack companies for strategic national objectives. A December 2015 article, "Advanced Persistent Threats: Effective Response to Nation-State Attacks" introduces the threat that these sophisticated groups pose, which can be as devastating as a physical attack. An increasingly interconnected world is one in which wrongdoers have unprecedented access to your data — and this requires constant vigilance.

 


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.