Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Help Your Board Navigate Cybersecurity's Legal Risks

What's worse than a massive data breach? A massive data breach followed by a shareholder derivative lawsuit. Learn what's at stake and what CISOs can do to mitigate the damage.

CISOs have been lightly tapping on the boardroom door for years but now have a reason to confidently take a seat at the table. Why? Because lawsuits related to data breaches and cybersecurity incidents are on the rise nationally. This increased legal risk is the reason that all boards should be making cybersecurity discussions part of their agenda — not just during budget season, but at every major meeting.

Legal risk can come in many forms, including from your company's own owners: the shareholders. Shareholder derivative lawsuits are lawsuits brought on behalf of a corporation by its own shareholders, against the officers and directors of the corporation for failing at their duties. Each officer or director is said to have a "fiduciary" duty to the corporation, including the "duty of care."

What does that mean? It means that, by law, each director has a duty to act with the best interests of the corporation and shareholders in executing their jobs, and they also must inform themselves of "all material information reasonably available to them" prior to making a decision. To protect the interests of the corporation (and its shareholders), directors also have a duty to review information presented to them with a critical eye. What does all this legal garble have to do with cybersecurity risk? Everything. Directors can no longer shrug off cybersecurity risk as technical geek-speak but, rather, have a duty by law to understand the real issues. Failing to truly grasp what is stake can put the company not only at risk from a breach but also a lawsuit. 

Take the Equifax data breach, which resulted in the filing of dozens of lawsuits, including by Equifax's shareholders. The lawsuits alleged that the executive board of Equifax failed to maintain adequate security measures to protect against data breaches. At the heart of a cybersecurity lawsuit like this is the fundamental allegation that the board of directors failed to understand and mitigate against cyber-risk.

What should a company do differently? Here are three suggestions:

1. The CISO should be at the table during all board discussions of cyber-risk. 
Ideally, the CISO should report directly to the board of directors. By allowing a third party to carry that information forward — even if it is the CEO — board members are setting themselves up for allegations that they did not receive the full picture. Just the simple act of inviting a company CISO (or, if a company does not have one, the CIO) into the conversation can help mitigate legal risk. 

2. Cybersecurity needs to be a meaningful part of the board agenda.
This one is tricky. Boards of directors are often made up of intelligent and business-savvy men and women. The problem: Business acumen sometimes does not translate into technical geek-speak. While a board may have a desire to understand cyber-risk, it often doesn't have the capacity to do so. Corporations should appoint board members who have a cybersecurity background to help guide the discussion. But, absent that, conducting board-level training related to cybersecurity can make sure that the right questions get asked. Ideally, this board training is led by someone outside of the organization. Why? Because this way, a board can claim it relied on a reputable third-party cybersecurity expert and was not influenced by the biases of its own corporate team.

3. Get real about the true issues. 
If officers — including CISOs — try to sweep risk under the rug, then nothing gets fixed. If the corporation has been sitting on a ticking time bomb for years, the board needs to know. But be thoughtful about risky conversations before you have them out loud, and make sure that confidentiality — through in-house or outside counsel — is utilized. The protective shield of attorney-client privilege works only if an attorney is part of the conversation. If you know that your board report is going to contain a bombshell, bring in-house counsel up to speed or (verbally) alert your team that you think a lawyer needs to be brought in for the conversation to navigate through the legal risks. The last thing outside counsel wants to discover after a data breach is that there was a report discussing the incredible risk to the company before the breach happened. Remember also that internal emails or presentations are prime exhibits in lawsuits. Be thoughtful about how your words could be used later and circle up with counsel before you describe the risks. In the age of cyber-related lawsuits, CISOs and legal teams have to work hand-in-hand to protect the company from all threats.

When a company suffers a massive breach followed by a shareholder derivative lawsuit, it can feel like Humpty Dumpty has fallen off the wall and that the company is shattered into a million pieces. Some organizations never recover from that tumble. In any company, the board of directors and the CISO need to be working together in advance of a breach to protect against both threat actors and claims from shareholders that the company did not appreciate cyber-risk. 

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.