A continuing series highlighting developments in privacy and security.
We predict that 2017 will see even more:
- Ransomware, ransomware, ransomware
- Headline-making cyber breaches in multiple industries, especially healthcare
- Ongoing uncertainty about the viability of class action lawsuits for data breaches
- Activist shareholders calling for removal of directors who failed to anticipate the risks
- More attempts to legislate, regulate and "guide" from a range of U.S. agencies as everyone want a piece of the action
- More enforcement actions by the FTC, even amidst continuing challenges to its jurisdiction
- Increasing demand for connected devices and the continuing explosion of "the Internet of Things"
- Clarity (we hope) from the EU on the implementation of the General Data Protection Regulation, and more data localization laws from countries outside the U.S.
Given the increasing frequency of cybersecurity incidents, and the growing impact of those incidents on business operations, reputation and assets, a board of directors' oversight activities should include ensuring the adequacy of a company's cybersecurity measures. The issues are complicated, and there are no simple solutions. But there are things Boards and management can do to begin to quantify and mitigate the risks.
Actions to Take Now
- Adopt a framework for weighing risks and developing plans. Consider using the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. While not a requirement or mandate, it may become the standard against which legal and regulatory reviews are measured.
- Assign roles. Appoint a board member or committee with responsibility to oversee cybersecurity. Convene leaders from IT, HR, Legal, Operations and other relevant areas to discuss risks and mitigation strategies. Assign clear lines of communication and authority to deal with a cybersecurity emergency or breach.
- Educate yourselves. Understand the legal, regulatory, contractual and other data protection and cybersecurity requirements applicable to the business and industry. Understand the contingencies and risks. Get regular reports from your CIO, security personnel and appropriate Board committees on preventative measures and on the occurrence and handling of any security incidents.
- Commit adequate resources. Based on the risks and requirements of your specific business, understand who is handling cybersecurity on a day to day basis. Assess whether your resources are adequate.
- Evaluate and improve vendor management. If third parties have access to protected data, or provide critical infrastructure for your operations, ask whether their people, processes and technologies measure up against your standards. Do you have contractual and other protections in place? Are you auditing to maintain ongoing compliance? Are your vendors required to notify you if they experience a breach that impacts your data? If the answer is no to any of these, make plans for improvement.
- Provide training. A good data protection and cybersecurity program includes employee training and awareness. It cannot be 'one and done'- it needs to be regular and ongoing. Employees are still the number one cause of cyber incidents!
- Conduct a regular risk assessment. Cover the adequacy of controls to respond to technological developments and evolving threats, to monitor threats, and to respond and recover from incidents.
- Consider insurance. Cyber insurance is readily available and may help mitigate some risks.
- Practice. Test your incident response plans through table top exercises. Include your outside counsel, forensic experts and others who will likely be involved in an actual response.
- Repeat! Cybersecurity issues are here to stay. Addressing cybersecurity is not just an IT issue, it is a core business risk that Boards and executive leadership needs to understand and oversee.