Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Help Your Board Navigate Cybersecurity's Legal Risks

What's worse than a massive data breach? A massive data breach followed by a shareholder derivative lawsuit. Learn what's at stake and what CISOs can do to mitigate the damage.

CISOs have been lightly tapping on the boardroom door for years but now have a reason to confidently take a seat at the table. Why? Because lawsuits related to data breaches and cybersecurity incidents are on the rise nationally. This increased legal risk is the reason that all boards should be making cybersecurity discussions part of their agenda — not just during budget season, but at every major meeting.

Legal risk can come in many forms, including from your company's own owners: the shareholders. Shareholder derivative lawsuits are lawsuits brought on behalf of a corporation by its own shareholders, against the officers and directors of the corporation for failing at their duties. Each officer or director is said to have a "fiduciary" duty to the corporation, including the "duty of care."

What does that mean? It means that, by law, each director has a duty to act with the best interests of the corporation and shareholders in executing their jobs, and they also must inform themselves of "all material information reasonably available to them" prior to making a decision. To protect the interests of the corporation (and its shareholders), directors also have a duty to review information presented to them with a critical eye. What does all this legal garble have to do with cybersecurity risk? Everything. Directors can no longer shrug off cybersecurity risk as technical geek-speak but, rather, have a duty by law to understand the real issues. Failing to truly grasp what is stake can put the company not only at risk from a breach but also a lawsuit. 

Take the Equifax data breach, which resulted in the filing of dozens of lawsuits, including by Equifax's shareholders. The lawsuits alleged that the executive board of Equifax failed to maintain adequate security measures to protect against data breaches. At the heart of a cybersecurity lawsuit like this is the fundamental allegation that the board of directors failed to understand and mitigate against cyber-risk.

What should a company do differently? Here are three suggestions:

1. The CISO should be at the table during all board discussions of cyber-risk. 
Ideally, the CISO should report directly to the board of directors. By allowing a third party to carry that information forward — even if it is the CEO — board members are setting themselves up for allegations that they did not receive the full picture. Just the simple act of inviting a company CISO (or, if a company does not have one, the CIO) into the conversation can help mitigate legal risk. 

2. Cybersecurity needs to be a meaningful part of the board agenda.
This one is tricky. Boards of directors are often made up of intelligent and business-savvy men and women. The problem: Business acumen sometimes does not translate into technical geek-speak. While a board may have a desire to understand cyber-risk, it often doesn't have the capacity to do so. Corporations should appoint board members who have a cybersecurity background to help guide the discussion. But, absent that, conducting board-level training related to cybersecurity can make sure that the right questions get asked. Ideally, this board training is led by someone outside of the organization. Why? Because this way, a board can claim it relied on a reputable third-party cybersecurity expert and was not influenced by the biases of its own corporate team.

3. Get real about the true issues. 
If officers — including CISOs — try to sweep risk under the rug, then nothing gets fixed. If the corporation has been sitting on a ticking time bomb for years, the board needs to know. But be thoughtful about risky conversations before you have them out loud, and make sure that confidentiality — through in-house or outside counsel — is utilized. The protective shield of attorney-client privilege works only if an attorney is part of the conversation. If you know that your board report is going to contain a bombshell, bring in-house counsel up to speed or (verbally) alert your team that you think a lawyer needs to be brought in for the conversation to navigate through the legal risks. The last thing outside counsel wants to discover after a data breach is that there was a report discussing the incredible risk to the company before the breach happened. Remember also that internal emails or presentations are prime exhibits in lawsuits. Be thoughtful about how your words could be used later and circle up with counsel before you describe the risks. In the age of cyber-related lawsuits, CISOs and legal teams have to work hand-in-hand to protect the company from all threats.

When a company suffers a massive breach followed by a shareholder derivative lawsuit, it can feel like Humpty Dumpty has fallen off the wall and that the company is shattered into a million pieces. Some organizations never recover from that tumble. In any company, the board of directors and the CISO need to be working together in advance of a breach to protect against both threat actors and claims from shareholders that the company did not appreciate cyber-risk. 

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.