In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.
As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.
My practice has been divided into three distinct areas over the last several years:
Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
Reactively, by leading companies through the cyber incident response and data breach response process (e.g., as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.
For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.
This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.
But in the last quarter of 2017, this has changed.
The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.
What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.
I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Does the board of directors’ duty of oversight over their companies’ cybersecurity require the individual directors to become experts on cybersecurity? That is a fair question and one that I’ve seen many people have difficulty understanding.
As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.
Santarcangelo interviews Peter S. Cohan in this article and shares additional insight that all directors, CEOs, and CISOs need to understand about each of their respective roles in this process. Take the time to read this article.
New York’s Cybersecurity Regulations went into effect on March 1, 2017 and their impact could reach farther than you think — including to small and mid-sized companies that do not do business in New York and are not in the financial services industries. And, they require direct involvement by the Board of Directors. Is your company ready?
In my latest Ethical Boardroom article, I explain
how these Cybersecurity Regulations can impact businesses of all sizes, in all industries, and all around the world,
what specific steps regulated companies must take to be in compliance with the Cybersecurity Regulations, and
what these Cybersecurity Regulations mean for nearly all companies.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
The Wall Street Journal did an interview of my friend, collaborator, prolific author, and the the original Cyber Patriot, Paul Ferrillo to discuss how companies can make their cybersecurity plan better. Here is the full article: Making Your Cybersecurity Plan Better
Paul and I are both firm believers in focusing on the basics so that is all you really need to know to make you want to read the article. Beyond that, I’m not going to spoil it here by giving away all of the answers but here are some of the topics that Paul explains in more detail in the article:
What are the biggest mistakes companies make when it comes to thinking about and executing on a cybersecurity plan?
Why companies have trouble communicating about cybersecurity issues.
What companies can do to improve their communications.
Whether boards are getting better about cybersecurity issues.
Where companies are falling short in training employees about cybersecurity.
How companies should think about cybersecurity in the new Trump administration.