First, one takeaway from the cybersecurity incidents at Target, Sony, and others is that the CIO and its board members must take an active role in evaluating the company’s cybersecurity measures. Internal policies and directives should be re-examined to ensure that proper policies are being implemented across the company. Some questions to be answered include: (i) has cybersecurity been given the appropriate priority and amount of resources; (ii) has the company’s most valuable information been identified and protected; (iii) are the company’s third-party partners also securing the company’s most valuable information; (iv) is the effectiveness of the company’s security being regularly evaluated and probed for weakness; (v) does the company have a well-designed and exhaustive plan for what happens in the event the company is compromised; and (vi) is the company and its executives properly insured in the event of a breach? If a company and its CIO/CISO can demonstrate that the company had adopted and implemented a careful, proactive approach to its cybersecurity measures, they will have gone a long way toward proving that they have met their fiduciary responsibilities to their shareholders, and to the persons who entrusted sensitive personal information to them.
Second, an interdisciplinary team should be created at the company that includes both in-house technical, business, and legal stakeholders, and knowledgeable outside counsel. Companies should ensure that the lawyers they have engaged know both the law and the technology that is being proposed, adopted, and deployed to mitigate and manage cyber risks. These lawyers should have a firm and definite grasp of the cyber security technologies, the company’s cybersecurity and incident response solutions, and the basics. The “basics” may include being able to differentiate between spyware, malware, logical v. disk level image, a megabyte and a terabyte, and platform as a service and software as a service. The interdisciplinary team should be responsible for reviewing the company’s internal cyber-policies to ensure they are appropriate, and that they are being honored and implemented within the company. This team should also be an integral part of any response the company formulates to a cyber-attack.
Third, the company’s General Counsel and CIO need to review the company’s patchwork of insurance policies, and determine if they are covered for lawsuits that may be filed directly against the CIO and other executives for alleged negligence that helped cause or worsen the data breach. Whether coverage comes from the company’s cyber insurance policy, or from its D&O policy, a company must ensure that coverage does in fact exist. The company should also ensure it has obtained the right insurance policies for the industry it serves, and the specific operational exposures it faces. In reviewing the state of the insurance a company must be cognizant that the CIO and the CISO may not rise to the level of officers of the companies, meaning that the existing insurance policies for the executive team may not extend to them.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating,
and Transforming Your Cybersecurity Program