Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Help Your Board Navigate Cybersecurity's Legal Risks

What's worse than a massive data breach? A massive data breach followed by a shareholder derivative lawsuit. Learn what's at stake and what CISOs can do to mitigate the damage.

CISOs have been lightly tapping on the boardroom door for years but now have a reason to confidently take a seat at the table. Why? Because lawsuits related to data breaches and cybersecurity incidents are on the rise nationally. This increased legal risk is the reason that all boards should be making cybersecurity discussions part of their agenda — not just during budget season, but at every major meeting.

Legal risk can come in many forms, including from your company's own owners: the shareholders. Shareholder derivative lawsuits are lawsuits brought on behalf of a corporation by its own shareholders, against the officers and directors of the corporation for failing at their duties. Each officer or director is said to have a "fiduciary" duty to the corporation, including the "duty of care."

What does that mean? It means that, by law, each director has a duty to act with the best interests of the corporation and shareholders in executing their jobs, and they also must inform themselves of "all material information reasonably available to them" prior to making a decision. To protect the interests of the corporation (and its shareholders), directors also have a duty to review information presented to them with a critical eye. What does all this legal garble have to do with cybersecurity risk? Everything. Directors can no longer shrug off cybersecurity risk as technical geek-speak but, rather, have a duty by law to understand the real issues. Failing to truly grasp what is stake can put the company not only at risk from a breach but also a lawsuit. 

Take the Equifax data breach, which resulted in the filing of dozens of lawsuits, including by Equifax's shareholders. The lawsuits alleged that the executive board of Equifax failed to maintain adequate security measures to protect against data breaches. At the heart of a cybersecurity lawsuit like this is the fundamental allegation that the board of directors failed to understand and mitigate against cyber-risk.

What should a company do differently? Here are three suggestions:

1. The CISO should be at the table during all board discussions of cyber-risk. 
Ideally, the CISO should report directly to the board of directors. By allowing a third party to carry that information forward — even if it is the CEO — board members are setting themselves up for allegations that they did not receive the full picture. Just the simple act of inviting a company CISO (or, if a company does not have one, the CIO) into the conversation can help mitigate legal risk. 

2. Cybersecurity needs to be a meaningful part of the board agenda.
This one is tricky. Boards of directors are often made up of intelligent and business-savvy men and women. The problem: Business acumen sometimes does not translate into technical geek-speak. While a board may have a desire to understand cyber-risk, it often doesn't have the capacity to do so. Corporations should appoint board members who have a cybersecurity background to help guide the discussion. But, absent that, conducting board-level training related to cybersecurity can make sure that the right questions get asked. Ideally, this board training is led by someone outside of the organization. Why? Because this way, a board can claim it relied on a reputable third-party cybersecurity expert and was not influenced by the biases of its own corporate team.

3. Get real about the true issues. 
If officers — including CISOs — try to sweep risk under the rug, then nothing gets fixed. If the corporation has been sitting on a ticking time bomb for years, the board needs to know. But be thoughtful about risky conversations before you have them out loud, and make sure that confidentiality — through in-house or outside counsel — is utilized. The protective shield of attorney-client privilege works only if an attorney is part of the conversation. If you know that your board report is going to contain a bombshell, bring in-house counsel up to speed or (verbally) alert your team that you think a lawyer needs to be brought in for the conversation to navigate through the legal risks. The last thing outside counsel wants to discover after a data breach is that there was a report discussing the incredible risk to the company before the breach happened. Remember also that internal emails or presentations are prime exhibits in lawsuits. Be thoughtful about how your words could be used later and circle up with counsel before you describe the risks. In the age of cyber-related lawsuits, CISOs and legal teams have to work hand-in-hand to protect the company from all threats.

When a company suffers a massive breach followed by a shareholder derivative lawsuit, it can feel like Humpty Dumpty has fallen off the wall and that the company is shattered into a million pieces. Some organizations never recover from that tumble. In any company, the board of directors and the CISO need to be working together in advance of a breach to protect against both threat actors and claims from shareholders that the company did not appreciate cyber-risk. 

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.