In recent years, data breaches at some of the world’s largest corporations have made news. But smaller companies are just as vulnerable, and must take steps to protect their data. In addition, businesses that serve as vendors to other businesses face increased scrutiny of their cyber preparations. The board of directors plays a critical role in this effort, as Jo Cicchetti, Chair of the Carlton Fields Jorden Burt Data Privacy and Cybersecurity Task Force, explained during a recent conversation.
Q: Why is cybersecurity a board concern?
Ms. Cicchetti: The board’s primary responsibility is to protect the company’s assets and interests on behalf of the shareholders, and cyber risks pose serious threats to the business operations and reputation of the business. So, the board must take into account cybersecurity risks as part of its enterprise risk management duties.
Q: Describe the risks posed by a breach?
Ms. Cicchetti: If the worst happens, a company could sustain financial and business losses, damage to its infrastructure and reputation. Customers, business partners and regulators could bring legal actions. Class actions from customers could result, and the board could face shareholder derivative suits, alleging that it and its members did not meet their duty of care and/or duty of loyalty to the corporation. Not to mention regulatory enforcement actions that could also result. So, the stakes are high.
Q: What must the board know about cybersecurity?
Ms. Cicchetti: Board members are not charged with becoming IT specialists—they don’t have day-to-day management responsibility for the issue. But the board needs to know that cyber risks are being handled properly, that the company is taking steps to prepare for any cyberattack, can detect cyber intrusions and when they do happen can respond properly. It must make sure that management has an incident response plan. The board must ask its managers—such as the chief legal officer, chief privacy officer and chief information security officer—particular questions such as: How is the company managing data security? Do we have internal written information security programs [WISPs]? What are the threats particular to the company’s business? What security framework is the company using? Which risks to avoid, accept, or mitigate and what is the plan related to each? How are employees being trained? How do we manage our vendors? What plan is in place for breach response, and who is in charge of that plan? Those are just some of the questions, but the important thing is that every department of the company—legal, IT, HR, operations—needs to communicate and work together. There can’t be a silo mentality.
Q: How active a role should the board take with respect to cybersecurity?
Ms. Cicchetti: Board members must take a regular and active role to make sure that cybersecurity and data governance issues are regularly reported to them by management. The topic should appear on the agendas for their quarterly meetings, and someone from either IT or the general counsel’s office should make a report addressing what’s happened in the last quarter—have there been incidents or events, and how have they managed any situations that arose? Vendor compliance should also be discussed, as well as any threats that result from customers’ and third-party access to company information systems, and how to address them. Also, the board needs to know that the right professionals are in place to advise the company.
Q: Who are the right professionals?
Ms. Cicchetti: A company needs access to technology experts, forensics experts, and privacy counsel. They need not necessarily be on staff, but must be identified and retained in case their services are ever needed. Everybody needs to be prepared and ready to go if a problem develops. You also need to have outside counsel onboard. The first 24 hours are critical. Retaining a public relations professional is also a good idea.
Q: How else can the board help prevent data breaches?
Ms. Cicchetti: The board cannot prevent data breaches, but there is a lot that can be done, and the board needs to know that the right steps have been taken. For example, employee training programs are critical because data breach situations often arise as a result of employee error or misconduct. There must also be a protocol or plan for incidents, and vendor due diligence and oversight is also important. Protecting against threats requires a multidisciplinary approach that involves the chief legal officer, chief information security officer, and human resources all working together. And, board members need to ask these people the right questions, which might include: What security frameworks are we using? Which company assets are the ‘crown jewels’ that need protection? What are the legal implications of cybersecurity incidents, and how do we avoid them? What risks should we accept? Do we get insurance? How are our employees being trained? What kind of testing do we do?
Q: What role should cyber risk insurance play in a company’s overall plan?
Ms. Cicchetti: Right now, cyber risk insurance is an evolving area. It is very expensive and doesn’t eliminate a company’s need to have a data security plan and proper implementation. The insurance company underwriting the policy will want to know that the company is taking the right steps before it insures the risk. Ultimately, if a company hasn’t done what it told its insurance company it would do, its coverage could be jeopardized.
Q: How do state breach laws impact a company’s data breach strategy?
Ms. Cicchetti: There is a patchwork of 50 state laws. A company’s legal department must understand the legal requirements in each of the 50 states. Normally, companies solve to the most difficult jurisdiction, setting up procedures that comply with the most stringent requirements where possible. The process is further complicated by the fact that states also differ in how they define a breach. And the laws are constantly changing. For companies without large internal legal resources, outside experts—such as privacy lawyers and technology consultants—are critical.
Q: Is there any way to eliminate the risk?
Ms. Cicchetti: There’s no way that anyone—even an organization with all the money and time in the world—can prevent attacks 100 percent of the time. Even the NSA, with its unlimited resources, was hacked. Companies just need to make sure they’re taking reasonable steps to deal with the risks and continue to stay informed. This is an area where it is very important to keep up with the Joneses.