Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Help Your Board Navigate Cybersecurity's Legal Risks

What's worse than a massive data breach? A massive data breach followed by a shareholder derivative lawsuit. Learn what's at stake and what CISOs can do to mitigate the damage.

CISOs have been lightly tapping on the boardroom door for years but now have a reason to confidently take a seat at the table. Why? Because lawsuits related to data breaches and cybersecurity incidents are on the rise nationally. This increased legal risk is the reason that all boards should be making cybersecurity discussions part of their agenda — not just during budget season, but at every major meeting.

Legal risk can come in many forms, including from your company's own owners: the shareholders. Shareholder derivative lawsuits are lawsuits brought on behalf of a corporation by its own shareholders, against the officers and directors of the corporation for failing at their duties. Each officer or director is said to have a "fiduciary" duty to the corporation, including the "duty of care."

What does that mean? It means that, by law, each director has a duty to act with the best interests of the corporation and shareholders in executing their jobs, and they also must inform themselves of "all material information reasonably available to them" prior to making a decision. To protect the interests of the corporation (and its shareholders), directors also have a duty to review information presented to them with a critical eye. What does all this legal garble have to do with cybersecurity risk? Everything. Directors can no longer shrug off cybersecurity risk as technical geek-speak but, rather, have a duty by law to understand the real issues. Failing to truly grasp what is stake can put the company not only at risk from a breach but also a lawsuit. 

Take the Equifax data breach, which resulted in the filing of dozens of lawsuits, including by Equifax's shareholders. The lawsuits alleged that the executive board of Equifax failed to maintain adequate security measures to protect against data breaches. At the heart of a cybersecurity lawsuit like this is the fundamental allegation that the board of directors failed to understand and mitigate against cyber-risk.

What should a company do differently? Here are three suggestions:

1. The CISO should be at the table during all board discussions of cyber-risk. 
Ideally, the CISO should report directly to the board of directors. By allowing a third party to carry that information forward — even if it is the CEO — board members are setting themselves up for allegations that they did not receive the full picture. Just the simple act of inviting a company CISO (or, if a company does not have one, the CIO) into the conversation can help mitigate legal risk. 

2. Cybersecurity needs to be a meaningful part of the board agenda.
This one is tricky. Boards of directors are often made up of intelligent and business-savvy men and women. The problem: Business acumen sometimes does not translate into technical geek-speak. While a board may have a desire to understand cyber-risk, it often doesn't have the capacity to do so. Corporations should appoint board members who have a cybersecurity background to help guide the discussion. But, absent that, conducting board-level training related to cybersecurity can make sure that the right questions get asked. Ideally, this board training is led by someone outside of the organization. Why? Because this way, a board can claim it relied on a reputable third-party cybersecurity expert and was not influenced by the biases of its own corporate team.

3. Get real about the true issues. 
If officers — including CISOs — try to sweep risk under the rug, then nothing gets fixed. If the corporation has been sitting on a ticking time bomb for years, the board needs to know. But be thoughtful about risky conversations before you have them out loud, and make sure that confidentiality — through in-house or outside counsel — is utilized. The protective shield of attorney-client privilege works only if an attorney is part of the conversation. If you know that your board report is going to contain a bombshell, bring in-house counsel up to speed or (verbally) alert your team that you think a lawyer needs to be brought in for the conversation to navigate through the legal risks. The last thing outside counsel wants to discover after a data breach is that there was a report discussing the incredible risk to the company before the breach happened. Remember also that internal emails or presentations are prime exhibits in lawsuits. Be thoughtful about how your words could be used later and circle up with counsel before you describe the risks. In the age of cyber-related lawsuits, CISOs and legal teams have to work hand-in-hand to protect the company from all threats.

When a company suffers a massive breach followed by a shareholder derivative lawsuit, it can feel like Humpty Dumpty has fallen off the wall and that the company is shattered into a million pieces. Some organizations never recover from that tumble. In any company, the board of directors and the CISO need to be working together in advance of a breach to protect against both threat actors and claims from shareholders that the company did not appreciate cyber-risk. 

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Who replaced the "Scroll Lock" key with a "Screen Lock" key?
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
CVE-2019-11644
PUBLISHED: 2019-05-17
In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premi...