Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Help Your Board Navigate Cybersecurity's Legal Risks

What's worse than a massive data breach? A massive data breach followed by a shareholder derivative lawsuit. Learn what's at stake and what CISOs can do to mitigate the damage.

CISOs have been lightly tapping on the boardroom door for years but now have a reason to confidently take a seat at the table. Why? Because lawsuits related to data breaches and cybersecurity incidents are on the rise nationally. This increased legal risk is the reason that all boards should be making cybersecurity discussions part of their agenda — not just during budget season, but at every major meeting.

Legal risk can come in many forms, including from your company's own owners: the shareholders. Shareholder derivative lawsuits are lawsuits brought on behalf of a corporation by its own shareholders, against the officers and directors of the corporation for failing at their duties. Each officer or director is said to have a "fiduciary" duty to the corporation, including the "duty of care."

What does that mean? It means that, by law, each director has a duty to act with the best interests of the corporation and shareholders in executing their jobs, and they also must inform themselves of "all material information reasonably available to them" prior to making a decision. To protect the interests of the corporation (and its shareholders), directors also have a duty to review information presented to them with a critical eye. What does all this legal garble have to do with cybersecurity risk? Everything. Directors can no longer shrug off cybersecurity risk as technical geek-speak but, rather, have a duty by law to understand the real issues. Failing to truly grasp what is stake can put the company not only at risk from a breach but also a lawsuit. 

Take the Equifax data breach, which resulted in the filing of dozens of lawsuits, including by Equifax's shareholders. The lawsuits alleged that the executive board of Equifax failed to maintain adequate security measures to protect against data breaches. At the heart of a cybersecurity lawsuit like this is the fundamental allegation that the board of directors failed to understand and mitigate against cyber-risk.

What should a company do differently? Here are three suggestions:

1. The CISO should be at the table during all board discussions of cyber-risk. 
Ideally, the CISO should report directly to the board of directors. By allowing a third party to carry that information forward — even if it is the CEO — board members are setting themselves up for allegations that they did not receive the full picture. Just the simple act of inviting a company CISO (or, if a company does not have one, the CIO) into the conversation can help mitigate legal risk. 

2. Cybersecurity needs to be a meaningful part of the board agenda.
This one is tricky. Boards of directors are often made up of intelligent and business-savvy men and women. The problem: Business acumen sometimes does not translate into technical geek-speak. While a board may have a desire to understand cyber-risk, it often doesn't have the capacity to do so. Corporations should appoint board members who have a cybersecurity background to help guide the discussion. But, absent that, conducting board-level training related to cybersecurity can make sure that the right questions get asked. Ideally, this board training is led by someone outside of the organization. Why? Because this way, a board can claim it relied on a reputable third-party cybersecurity expert and was not influenced by the biases of its own corporate team.

3. Get real about the true issues. 
If officers — including CISOs — try to sweep risk under the rug, then nothing gets fixed. If the corporation has been sitting on a ticking time bomb for years, the board needs to know. But be thoughtful about risky conversations before you have them out loud, and make sure that confidentiality — through in-house or outside counsel — is utilized. The protective shield of attorney-client privilege works only if an attorney is part of the conversation. If you know that your board report is going to contain a bombshell, bring in-house counsel up to speed or (verbally) alert your team that you think a lawyer needs to be brought in for the conversation to navigate through the legal risks. The last thing outside counsel wants to discover after a data breach is that there was a report discussing the incredible risk to the company before the breach happened. Remember also that internal emails or presentations are prime exhibits in lawsuits. Be thoughtful about how your words could be used later and circle up with counsel before you describe the risks. In the age of cyber-related lawsuits, CISOs and legal teams have to work hand-in-hand to protect the company from all threats.

When a company suffers a massive breach followed by a shareholder derivative lawsuit, it can feel like Humpty Dumpty has fallen off the wall and that the company is shattered into a million pieces. Some organizations never recover from that tumble. In any company, the board of directors and the CISO need to be working together in advance of a breach to protect against both threat actors and claims from shareholders that the company did not appreciate cyber-risk. 

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.