The three pegged their conversation to the 2014 cyberattack on Sony Pictures that divulged thousands of employee emails and personal information along with copies of yet-to-be-released films. Kachhia-Patel referred to the event as a “catastrophic intrusion” that caught everyone, regardless of their sector, off guard.
“It was a real watershed moment, not only for the [entertainment]industry, but for the government and their response as well,” said Kacchia-Patel.
While at CBS, Nuñez said that it took a while for him and his colleagues to fully understand the impact of the hack, which would go on to have a ripple effect for years to come.
“There was a certain level of knowledge and sophistication about these issues, but the [Sony incident] certainly raised awareness.”
He said that CBS executives responded to the hack by creating a corporate culture where cybersecurity was no longer an afterthought.
“It wasn’t relegated to, ‘Oh, this is an IT issue,’ or ‘How good is our firewall?’” recalled Nuñez.
Kaccia-Patel said the event also became a teachable moment that underscored the importance of developing a strong relationship between corporate leadership and their local FBI field offices. He noted that executives at Sony knew who to call at the FBI’s Los Angeles field office and agents were on the scene just hours after the attack. He added that the FBI relationship should also be buttressed with that of a private security firm to help companies get back onto their feet in a timely manner. The government’s approach is also multipronged, he said.
“The bureau is out in front, but we’re also bringing other government resources to the table as well, such as the NHS and the NSA,” he said.
Nuñez said that the era of the Sony attack continues to reverberate, including in the recent transition to working from home during the pandemic.
“We were going from 20,000 employees who were mostly in an office environment to 20,000 remote locations,” he said. “It wasn’t just an issue of is the system going to work where everyone can have access to it, but also are the security protocols going to be good enough.”
He added that cybersecurity is far from being an afterthought in the C-Suite, it’s also part of the board’s fiduciary responsibility.
“Obviously, there is a constant focus now, and there’s no perfect way to protect yourself, but I think such awareness needs to be an ongoing,”