Does Board Oversight of Cybersecurity Mean Directors Must Become Cybersecurity Experts?

Does the board of directors’ duty of oversight over their companies’ cybersecurity require the individual directors to become experts on cybersecurity? That is a fair question and one that I’ve seen many people have difficulty understanding.

The answer is “no,” as explained by Michael Santarcangelo (@catalyst) in his CSO article Why the board needs security leaders to fuel disciplined growth:

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

Santarcangelo interviews Peter S. Cohan in this article and shares additional insight that all directors, CEOs, and CISOs need to understand about each of their respective roles in this process. Take the time to read this article.

 

3 More Key Cybersecurity Takeaways General Counsel Should Learn Learn from Yahoo

The lessons that general counsel can learn from the Yahoo data breach just keep coming. A month ago I published 5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal and recently I read Yahoo’s Warning to GCs: Your Job Description Just Expanded (Big-Time), which I found to be excellent.

Here are 3 key cybersecurity takeaways that general counsel should learn that are described more in that article. The explanation in the article is very good and the author provides actionable recommendations — I encourage you to read the entire article:

  1. The general counsel has emerged as the most logical and effective quarterback of data breach response.
  2. Yahoo’s actions not only signal the evolution of a new standard of care for general counsel when it comes to cybersecurity but also signal a vast expansion of general counsel oversight. 
  3. Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal

A good friend recently shared with me the article Verizon GC on the Lessons Learned from Deal with Yahoo (use Linkedin for paywall access) because he thought it would be valuable information to add to my own cybersecurity knowledge toolbox. Given the experience Verizon’s GC has gained through this process, when he talks about lessons learned, we should all pay attention.

Here are the 5 key takeaways to keep in mind for mergers and acquisitions such as this one:

  1. Have a strategy on how to handle the news of data breaches.
  2. Analyze how a data breach impacts the original goals of the deal and how it will impact investors.
  3. Be very disciplined in messaging, ensuring that all public statements, to all audiences, are a variation of the same core messages.
  4. Know what the parties’ agreement says about data breaches which, necessarily, requires that the agreement address the issue of data breaches.
  5. While due diligence around data breaches may be important, it is more important to have reps and warranties around data breaches because it is unreasonable to expect due diligence to find what the company itself hasn’t found.

Yahoo security lapses laid bare even as Russia blamed for hack

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Yes, Officers & Directors Can Be Held Personally Liable for Their Company’s Data Breach – Here’s Why

jeffmullinswebsizeda

“Can I be held personally liable for my company’s data breach?”

That is one of the questions I am asked many times by officers and directors of companies.  For companies doing business in Texas, the answer could be “YES!” although the usual reasons provided are not nearly as straightforward as the one discussed in the video below.

***Please note, this analysis applies only to officers and directors, not regular employees of a company.

Continue reading “Yes, Officers & Directors Can Be Held Personally Liable for Their Company’s Data Breach – Here’s Why”

4 Ways to Engage Executives in Cyber Risk

The CIO Journal has an informative article, 4 Ways to Engage Executives in Cyber Risk, that discusses a handful of ideas that can be helpful for engaging company executives on the issue of cybersecurity risks. Here are the 4 steps it suggests:

  1. Host a cyber risk heat-mapping session
  2. Establish key risk and performance indicators
  3. Simulate a cyber incident
  4. Scrutinize the security implications of new technologies

All are very good and the article offers a nice explanation for each step.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Key Points the Board Needs to Know About Cybersecurity

Officer and director liability for cybersecurity incidents is a hot topic. It will only get hotter because, when it comes to risks impacting the company, the buck stops at the Board of Directors. As it should.

Cybersecurity and corporate governance law are converging to develop a duty for the Board to be involved in cybersecurity issues that affect the company. (related posts) The question is, however, on how granular of a level should the Board’s role be when it comes to cybersecurity? Continue reading “3 Key Points the Board Needs to Know About Cybersecurity”

Managing Cybersecurity Risks for Boards of Directors

Ethical Boardroom Winter 2016In his latest Ethical Boardroom article, Shawn Tuma explains why it is important for board members to have an active role in their company’s cybersecurity preparation and tells them several key steps they can take to do so. Tuma also explains why cybersecurity is as much a legal issue and business issue as it is an IT issue. Continue reading “Managing Cybersecurity Risks for Boards of Directors”

Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!

Dear Santa: Shawn Tuma’s Cybersecurity Christmas Wish

 

Rockefeller_Center_christmas_tree
Shawn Tuma’s Cybersecurity Christmas Wish

My friends at SecureWorld asked me to do something I have not done since I was a kid. They asked me to write a letter to Santa and tell him what my one cybersecurity Christmas wish would be.

What is my wish?

Here is a hint: it is for business leaders to begin to understand one particularly crucial thing about cybersecurity incidents — one thing that could really help get their companies prepared for the cybersecurity risks they face.

If you want to know what that one thing is, all you have to do is read my letter to Santa: Cybersecurity Wishes: Shawn E. Tuma

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

What Do Cybersecurity, Brown M&M’s & Credit Ratings Have in Common?

Eddie Van HalenOf all the examples of pompous extravagance the legendary rock band Van Halen exemplified, one that has always stood out was the band’s contractual requirement that the dressing room to have M&M’s — but warned there were to be no brown M&M’s. If any were there, the band had the right to cancel the concert at the full of the promoter (see No Brown M&M’s).

Only recently did the band reveal the real reason for this requirement. It was their canary in the coal mine to alert them to major problems.

No Brown M&M's

Van Halen wasn’t just playing music, they were putting on a massive stage show that involved filling venues with equipment they were never intended to handle. This posed a significant safety concern for the public as well as the band. To mitigate against this risk, Van Halen’s contract spelled out in precise detail the technical requirements for how the stage, lighting, and other equipment were to be assembled. Hence, the reason for the No Brown M&M’s Clause:

To ensure the promoter had read every single word in the contract, the band created the “no brown M&M’s” clause. It was a canary in a coalmine to indicate that the promoter may have not paid attention to other more important parts of the rider, and that there could be other bigger problems at hand (seeNo Brown M&M’s).

Cybersecurity Risks & Credit Ratings

A few weeks ago, Moody’s announced that it will begin to place more weight on a company’s cybersecurity risks when issuing its credit ratings.  (see Moody’s).

The report is the latest indicator that it has becoming increasingly important that companies view cybersecurity in financial terms, not simply in terms of reputational risk.

“More cyber security expertise is being added to boards and trustee governance,” said associate managing director Jim Hempstead, in a release. “We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

S&P issued a similar warning in September, stating that it would downgrade credit ratings of financial institutions that have poor cybersecurity protections.

Good for Moody’s and S&P!

Think about it. For today’s companies, their cybersecurity posture is that canary in the coal mine — the brown M&M’s — that will either indicate that the company is carefully focusing on its business or is run in a haphazard manner.

Cybersecurity should be used to evaluate credit ratings as well as other aspects of the company. This is good for everybody — especially for companies that are keeping their cybersecurity house in order. It will give them a distinct competitive advantage in the future as more and more become attuned to just how bad cybersecurity risk can be.

So, what do cybersecurity, brown M&M’s and credit ratings have in common? They’re all an indication of the kind of company that others want to do business with; ultimately, they mean increased competitiveness.

(Disclaimer: I am more of a Van Hagar fan than a Van Halen fan)

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.