Cybersecurity is a business issue. In the face of rising cyber threats and increasing regulatory scrutiny, organisations and boards of directors must treat cybersecurity as a business issue and take proactive measures to protect themselves against cyber liabilities.
The stakes are higher than ever. The U.S. Securities and Exchange Commission (SEC) recent lawsuit against SolarWinds Corp and its CISO underscores the increased accountability individuals and companies face for failures in their cyber governance programs.
This was one of the many takeaways from a discussion hosted by Nithya B. Das,
Chief Legal & Administrative Officer, Diligent, who was joined by Kaylee Bankston, Partner, Data, Privacy & Cybersecurity at Goodwin; Kevin Powers, Founder, Director and Professor of Cybersecurity, Data Privacy & National Security Graduate Programs at Boston College; and Myrna Soto, founder and CEO of Apogee Executive and former CISO.
Here’s a look at some of the highlights from the discussion about protecting against cyber liabilities.
1. Treat cybersecurity as a core business priority
While the regulatory landscape for cybersecurity is rapidly evolving, the panellists emphasised that cybersecurity must be seen as a core business priority affecting the entire organisation rather than just a technical responsibility. As Powers stated, the cybersecurity business is now business itself and should be approached as such.
“Your board members understand risk management,” Soto pointed out. “There is no reason why this risk area should not be managed similarly.” Soto made a strong case for embedding cybersecurity in the culture of an organisation, making it a business priority, and using various assessment techniques to understand the effectiveness of cybersecurity programs.
2. Implement proactive cybersecurity governance programs
To effectively address cyber risks, organisations must adopt robust cybersecurity governance programs. This includes conducting regular risk assessments and vulnerability management, ensuring employees, management and board members are trained on the latest developments in cybersecurity and employing continuous monitoring and incident response capabilities.
“Your legal counsel has a critical role to play, not just when there’s an incident but on this proactive risk management compliance side,” said Bankston.
C-suite leaders, CISOs, and board members must regularly discuss the organisation’s cybersecurity governance program, the steps being taken to identify and mitigate cyber risks, and the progress being made on protecting against cyber liabilities.
3. Ensure CISOs have appropriate liability protection
The panellists also touched on the importance of providing liability protection for CISOs. They suggested that organisations should consider including CISOs in their Directors and Officers (D&O) insurance policies.
Soto emphasised the need for CISOs to be part of D&O insurance policies. “I think it’s a step in the right direction to ensuring that this profession is nurtured and that we have the right experts in place to collaborate with the bigger ecosystem,” she said. Providing liability protection for CISOs ensures that organisations can recruit and retain top security talent, and it also provides CISOs with a level of comfort to take on these increasingly high-risk roles.
Powers agreed with Soto and added that the role of the CISO is evolving and becoming more business-focused. “That’s where things are going,” he said. “So, for anyone on the call now, recognise that cybersecurity is part of your business. Whether you like it or not, it’s a core function going forward, and you have to treat it as such.”
4. Communicate frequently, transparently and consistently with the board on cybersecurity
The panellists also discussed the importance of effective and frequent reporting of cyber risks and regulatory issues to the board. They suggested that organisations should aim for transparency and consistency of reporting to ensure that board members are given the right level of information to understand the nature of the risk and the steps to take in protecting against cyber liabilities.
Soto suggested that organisations report on their cybersecurity programs’ effectiveness and present that information at a macro level to the board. “I think what’s more important is how effective have we become in responding to those incidents and what are the artifacts, what’s the evidence to prove that?” she said.
Powers suggested having a dedicated committee for public companies that would delve deep into these issues and then present their findings to the board, such as the Audit Committee or Risk Committee. “You can have a couple of board members on a committee; they understand risk, they understand business,” he said. “Once they realise that cybersecurity is not a technical issue, it’s a business risk, business strategy; it’s a legal, regulatory issue that they’ll understand.”
5. Prioritise employee cybersecurity training and awareness
Another crucial aspect of risk management is educating employees about cyber threats and how to prevent them. The panellists emphasised the need for regular training and awareness programs to ensure that employees can identify and respond to potential cyberattacks.
This can include topics such as safe internet practices, password management, and recognising phishing attempts. By investing in employee education, companies can significantly reduce the risk of a successful cyberattack.
The panellists also discussed the importance of practice and preparation through efforts such as documented incident management plans and tabletop exercises.
Directors and executives must also be included in these trainings as well. Programs like the Diligent Cyber Risk & Strategy Certification are specifically designed to equip leaders with the cyber skills they need to provide comprehensive oversight, avoid personal liability, and prepare their organisations.
Mitigating cyber risks through proactive strategies
As cyber regulations continue to evolve, organisations must recognise that cybersecurity is not just a technical issue but a business imperative. By embedding cybersecurity in their culture, striking the right balance in reporting to the board, and including CISOs in liability protection programs, organisations can effectively manage cyber risks and navigate the complex regulatory landscape.
Collaboration between legal, compliance and security teams is key to ensuring proactive risk management and compliance. By treating cybersecurity as a core business function, organisations can safeguard their digital assets and protect themselves from the increasing threats in the digital age.
Bankston said it well during our conversation: “Cybersecurity is a team sport.” CISOs, general counsels, and board members must all play a role in mitigating cyber risk.