Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

May 2018 edition

Cybersecurity readiness: Seven takeaways from a C-suite survey

Mark McCreary and Elizabeth Litten

When preparing the questions for our inaugural Cybersecurity Questionnaire, we expected to show that companies were generally prepared, and then focus on existing gaps. Lawyers excel at finding ways to fill heretofore unknown gaps, and that is where we saw our value. We were surprised to learn instead that companies are overly confident in their prior efforts and, for the most part, are nowhere near prepared for the threats they face. The purpose of this article is to highlight seven takeaways from the Cybersecurity Questionnaire, all reflecting this theme, for in-house counsel.

  1. To mitigate cybersecurity risk, companies need to have a competent security professional in place. In most cases, this person should not be the chief information officer (CIO) or chief technology officer (CTO) of the company. In our experience, a CIO or CTO has divided loyalties and faces too many budgetary pressures. Instead, this person should be a chief information security officer, chief privacy officer, or other individual whose job is to focus on security issues. It's better to have one person whose sole responsibility is to focus on security issues for the company than to have 20 people who spend part of their time focusing on security issues (perhaps under the direction of the CIO or CTO) as an ancillary part of his or her job.
  2. The designated security professional should have access to the C-suite and board of directors at the company, as well as the general counsel. Careful consideration should be given as to the person to whom this professional should report. It should almost always not be the CIO or CTO. We are big fans of making sure the chief executive officer (CEO) learns about security issues and gets regular updates, mostly for the reasons discussed herein. Your company will have to decide whether and in what order the security professional should report to the CEO, chief operating officer, general counsel, or some other C-suite-level individual. Second, the board of directors needs to understand the risks the company faces with respect to security issues. These risks are often best presented by the general counsel, after the general counsel has received a full report or audit results from the designated security professional. A board of directors that does not think about these issues, or otherwise makes decisions without considering security implications, is simply not doing its job.
  3. The company must have a culture of security and data protection. The general counsel should regularly train employees and instill a culture of incident reporting. The concept of privacy-by-design, whereby the privacy implications are considered before any product or service is created or launched and the design of the product or service is geared toward protecting privacy, can be fostered through training by the general counsel's office. Counsel can remind the COO, teams involved with research and development, and others within the company that implementation of a privacy-by-design approach can eliminate or significantly reduce customer concerns related to data privacy. By taking this approach, data security will not be an afterthought for companies and the data they own and safeguard will have better protection.
  4. General counsel can remind the C-suite that the company's expenditures on security efforts will save money and customer good will. It is that simple. There are free steps that companies can take to make data more secure, but the greatest yardage will be gained by purchasing systems and tools to do the heavy lifting. Whether we are talking about data loss prevention (which uses a huge cross-section of tools), privileged account management, a security event information management tool, or similar efforts, these are significant undertakings for IT departments and require significant capital investment. General counsel can frame it this way: If you were presented with incontrovertible evidence that there existed a 30% chance your home would be broken into, would you buy a security system or better lock, or put your family at risk? Your company's data is your family in this analogy, by the way!
  5. If the general counsel's office is not training all employees, the board of directors, and any other party with access to your network systems and physical copies of your data, you are making a big mistake. Not all training is equal, and nothing replaces in-person training. If you are treating one-time security training as a box checked, then you have done nothing other than steal productivity from your employees while making your data no more secure.
  6. Cyber liability insurance is great to have, but you must have the right product. The general counsel's office should be closely reviewing coverage levels, coverage exclusions, and whether vendors or other third parties with access to company data are liable (and have adequate coverage) for data loss or breach. Counsel must then provide the C-suite with enough information to make an informed purchasing decision. Too often, the client learns of the deficiencies after a claim event arises, and only then do they discover that there are meaningful coverage gaps, limits or sub-limits that make the policy near worthless.
  7. General counsel needs to understand the implications of the European Union's General Data Protection Regulation (GDPR). The law goes into effect on May 25, 2018, and will cost companies billions of dollars in fines by most experts' estimates. If you think your company is safe because it doesn't collect personal information from individuals (and it likely does, it just doesn't realize it), the GDPR still likely applies if any company with which you do business is subject to GDPR. If GDPR applies and you have not yet started compliance efforts, you are too late to meet the initial compliance deadline (but this should not deter you from starting your efforts; you are not alone!).

We hope that our next Cybersecurity Questionnaire will reveal that companies have a greater appreciation of how they are deficient in their security preparedness as a result of general counsel's active role in education and risk mitigation.


About the authors

Fox Rothschild Partner Mark McCreary is the firm's Chief Privacy Officer and co-chair of the Privacy and Data Security Practice. Partner Elizabeth Litten is the firm's HIPAA Privacy & Security Officer.




WESTLAW PRACTITIONER INSIGHTS

Now available in 14 practice areas, including
one made specifically for corporate counsel.



Go to top of page