Does Board Oversight of Cybersecurity Mean Directors Must Become Cybersecurity Experts?

Does the board of directors’ duty of oversight over their companies’ cybersecurity require the individual directors to become experts on cybersecurity? That is a fair question and one that I’ve seen many people have difficulty understanding.

The answer is “no,” as explained by Michael Santarcangelo (@catalyst) in his CSO article Why the board needs security leaders to fuel disciplined growth:

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

Santarcangelo interviews Peter S. Cohan in this article and shares additional insight that all directors, CEOs, and CISOs need to understand about each of their respective roles in this process. Take the time to read this article.

 

3 More Key Cybersecurity Takeaways General Counsel Should Learn Learn from Yahoo

The lessons that general counsel can learn from the Yahoo data breach just keep coming. A month ago I published 5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal and recently I read Yahoo’s Warning to GCs: Your Job Description Just Expanded (Big-Time), which I found to be excellent.

Here are 3 key cybersecurity takeaways that general counsel should learn that are described more in that article. The explanation in the article is very good and the author provides actionable recommendations — I encourage you to read the entire article:

  1. The general counsel has emerged as the most logical and effective quarterback of data breach response.
  2. Yahoo’s actions not only signal the evolution of a new standard of care for general counsel when it comes to cybersecurity but also signal a vast expansion of general counsel oversight. 
  3. Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal

A good friend recently shared with me the article Verizon GC on the Lessons Learned from Deal with Yahoo (use Linkedin for paywall access) because he thought it would be valuable information to add to my own cybersecurity knowledge toolbox. Given the experience Verizon’s GC has gained through this process, when he talks about lessons learned, we should all pay attention.

Here are the 5 key takeaways to keep in mind for mergers and acquisitions such as this one:

  1. Have a strategy on how to handle the news of data breaches.
  2. Analyze how a data breach impacts the original goals of the deal and how it will impact investors.
  3. Be very disciplined in messaging, ensuring that all public statements, to all audiences, are a variation of the same core messages.
  4. Know what the parties’ agreement says about data breaches which, necessarily, requires that the agreement address the issue of data breaches.
  5. While due diligence around data breaches may be important, it is more important to have reps and warranties around data breaches because it is unreasonable to expect due diligence to find what the company itself hasn’t found.

Yahoo security lapses laid bare even as Russia blamed for hack

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Yes, Officers & Directors Can Be Held Personally Liable for Their Company’s Data Breach – Here’s Why

jeffmullinswebsizeda

“Can I be held personally liable for my company’s data breach?”

That is one of the questions I am asked many times by officers and directors of companies.  For companies doing business in Texas, the answer could be “YES!” although the usual reasons provided are not nearly as straightforward as the one discussed in the video below.

***Please note, this analysis applies only to officers and directors, not regular employees of a company.

Continue reading “Yes, Officers & Directors Can Be Held Personally Liable for Their Company’s Data Breach – Here’s Why”

4 Ways to Engage Executives in Cyber Risk

The CIO Journal has an informative article, 4 Ways to Engage Executives in Cyber Risk, that discusses a handful of ideas that can be helpful for engaging company executives on the issue of cybersecurity risks. Here are the 4 steps it suggests:

  1. Host a cyber risk heat-mapping session
  2. Establish key risk and performance indicators
  3. Simulate a cyber incident
  4. Scrutinize the security implications of new technologies

All are very good and the article offers a nice explanation for each step.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.