5 Steps to Fortify Your Organization Against Cyber Liabilities

Originally published by Diligent.

Written by Nithya B. Das, Chief Legal & Administrative Officer, Diligent.

Cybersecurity is a business issue. This was one of the key takeaways from a recent panel discussion I moderated on key strategies to guide CISOs, general counsels and other legal and information security executives as they navigate the evolving landscape.

In the face of rising cyberthreats and increasing regulatory scrutiny, organizations and boards of directors must treat cybersecurity as a business issue and take proactive measures to protect themselves against cyber liabilities.

The stakes are higher than ever. The SEC’s recent lawsuit against SolarWinds Corp and its CISO underscores the increased accountability placed on individuals and companies for failures in their cyber governance programs.

Joining me in the discussion were Kaylee Bankston, Partner, Data, Privacy & Cybersecurity at Goodwin; Kevin Powers, Founder, Director and Professor of Cybersecurity, Data Privacy & National Security Graduate Programs at Boston College; and Myrna Soto, founder and CEO of Apogee Executive and former CISO.

Here's a look at some of the highlights from our discussion.

1. Treat cybersecurity as a core business priority

While the regulatory landscape for cybersecurity is rapidly evolving, the panelists emphasized that cybersecurity must be seen as a core business priority affecting the entire organization rather than just a technical responsibility. As Powers stated, the business of cybersecurity is now business itself and should be approached as such.

“Your board members understand risk management,” Soto pointed out. “There is no reason why this area of risk should not be managed in a similar fashion." Soto made a strong case for embedding cybersecurity in the culture of an organization, making it a business priority, and using various assessment techniques to understand the effectiveness of cybersecurity programs.

2. Implement proactive cybersecurity governance programs

To effectively address cyber risks, organizations must adopt robust cybersecurity governance programs. This includes conducting regular risk assessments and vulnerability management, ensuring employees, management and board members are trained on the latest developments in cybersecurity and employing continuous monitoring and incident response capabilities.

"Your legal counsel has a critical role to play, not just when there's an incident but on this proactive risk management compliance side," said Bankston.

C-suite leaders, CISOs and board members must regularly discuss the organization’s cybersecurity governance program and the steps being taken to identify and mitigate cyber risk as well as the progress on remediation of core cyber risks.

3. Ensure CISOs have appropriate liability protection

The panelists also touched on the importance of providing liability protection for CISOs. They suggested that organizations should consider including CISOs in their Directors and Officers (D&O) insurance policies.

Soto emphasized the need for CISOs to be part of D&O insurance policies. “I think it’s a step in the right direction to ensuring that this profession is nurtured and that we have the right experts in place to collaborate with the bigger ecosystem,” she said. Providing liability protection for CISOs ensures that organizations can recruit and retain top security talent, and it also provides CISOs with a level of comfort to take on these increasingly high-risk roles.

Powers agreed with Soto and added that the role of the CISO is evolving and becoming more business-focused. “That’s where things are going,” he said. “So for anyone on the call now, recognize that cybersecurity is part of your business. It’s a core function going forward, whether you like it or not, and you have to treat it as such.”

4. Communicate frequently, transparently and consistently with the board on cybersecurity

The panelists also discussed the importance of effective and frequent reporting of cyber risks and regulatory issues to the board. They suggested that organizations should aim for transparency and consistency of reporting to ensure that board members are given the right level of information to understand the nature of the risk.

Soto suggested that organizations report on their cybersecurity programs' effectiveness and present that information at a macro level to the board. "I think what’s more important is how effective have we become in responding to those incidents and what are the artifacts, what's the evidence to prove that?" she said.

Powers suggested having a dedicated committee for public companies that would delve deep into these issues and then present their findings to the board, such as the Audit Committee or Risk Committee. “You can have a couple of board members on a committee; they understand risk, they understand business,” he said. “Once they realize that cybersecurity is not a technical issue, it’s a business risk, business strategy, it’s a legal regulatory issue that they’ll understand.”

5. Prioritize employee cybersecurity training and awareness

Another crucial aspect of risk management is educating employees about cyberthreats and how to prevent them. The panelists emphasized the need for regular training and awareness programs to ensure that employees are equipped to identify and respond to potential cyberattacks.

This can include topics such as safe internet practices, password management and how to recognize phishing attempts. By investing in employee education, companies can significantly reduce the risk of a successful cyberattack.

The panelists also touched on the importance of practice and preparation through efforts like documented incident management plans and tabletop exercises.

Directors and executives themselves must be included in these trainings as well. Certain certification programs are specifically designed to equip leaders with the cyber skills they need to provide comprehensive oversight, avoid personal liability and prepare their organizations.

Mitigating cyber risks through proactive strategies

As the cyber regulatory landscape continues to evolve, organizations must recognize that cybersecurity is not just a technical issue but a business imperative. By embedding cybersecurity in their culture, striking the right balance in reporting to the board, and including CISOs in liability protection programs, organizations can effectively manage cyber risks and navigate the complex regulatory landscape.

Collaboration between legal, compliance and security teams is key to ensuring proactive risk management and compliance. By treating cybersecurity as a core business function, organizations can safeguard their digital assets and protect themselves from the increasing threats in the digital age.

Bankston said it well during our conversation: “Cybersecurity is a team sport.” CISOs, general counsels and board members must all play their role in mitigating cyber risk.