This is a summary and commentary of a recent article by Nicholas J. Price of Diligent Corporation. The full article may be found at The General Counsel’s Role in Cybersecurity. Nicholas frames the issues succinctly and the purpose here is to highlight five (5) questions General Counsel need to ask specific to protecting the organization’s perimeter.
The prevalence of cybercrime and the emergence of new laws are forcing Boards and their general counsels to work closely together with the chief information security officer (CISO) to make decisions about how to protect the company against cyberattacks, respond to data breaches, and remain compliant to data privacy regulations.
The data is clear and trending upward – cyber theft is on the rise and shows no signs of slowing. Data also indicates regardless of how much money you throw at cybersecurity, a determined cyber thief will find a way into the enterprise.
“Past risk governance models worked well for physical and financial risks, but they fail to provide adequate protection for cyber risk.”
The main question for general counsels to ask is-
• Would the company face litigation in the event of cyber risk and how should we prepare to address it?
Key risks facing general counsels are loss of key data, legal penalties, regulatory penalties, and issues related to the company’s reputation. New legal concerns call for legal teams to explore answers to questions such as:
1. What type of data and other personal information does our company store?
2. If that data were lost or stolen, what impact would it have on the company?
3. What data would be important to a cybercriminal if they could get their hands on it?
4. What best practices does the company already have in place?
5. Which of the company’s systems are the most vulnerable?
Compliance and Governance disciplines are methodologies for mitigating risk. The first step is to achieve Defensible Data, an integral part of GRC. The process below provides answers:
• What type of data and other personal information does our company store?
– Data is identified, classified, scored, and dispositioned to GRC guidelines. PI/PHI/PCI data is ‘tagged’ and action taken based upon the sensitive nature.
• (#’s 2 & 3) If that data were lost or stolen, what impact would it have on the company? And what data would be important to a cybercriminal if they could get their hands on it?
– “Tagged” data is assigned a Risk Score that indicates the value of a specific data class and the frequency of that data across all endpoints. Ponemon Institute guidelines are applied to assign monetary risk/value.
• Which of the company’s systems are the most vulnerable?
– ‘Systems’ will be segregated from data stores for this purpose. Systems will require perimeter/network protection and database/data privacy security, while data stores and unstructured data will be indexed with priority.
Outcomes from this process include:
• Detailed data insight to include data by location, user, data type, content, origin, file size, file format, etc.
• Data classified and dispositioned to adhere to Governance and Data Retention policies
• Pristine, Defensible, Master Data set
Outcomes are improved for all disciplines. Risk is minimized, data governance policies are effective, and the promise of ROI can be realized – the ROI of Data Privacy compliance alone is 270%.