SPRING 2020 TODAY’S GENER AL COUNSEL
Cybersecurity
GC Should Lead Security Management and Risk By Thomas Yohannan, Paul Lanois and Brett Williams
22
C
ybersecurity is a board-level issue. A breach of almost any magnitude can put the survival of the business at risk. In 2014, the U.S. Securities and Exchange Commission wrote “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” The Yahoo data breaches are a cautionary tale for any General Counsel’s office. Notably, as indicated in Yahoo’s Form 10-K filing, the in-house legal team at Yahoo was found to have not sufficiently pursued the investigation of a security incident that arose in 2014. In particular, an independent committee of Yahoo found that it was up to the legal department to further inquire into security incidents, to pursue the investigation and analysis, and that failure from the legal department meant that the company was not correctly advised concerning legal and business risks. This clearly suggests that the GC has a critical role concerning information security and, in this case, failed to execute that role. In fact, in connection with the alleged lack of action from the legal department, Yahoo subsequently accepted the resignation of its GC. As
further evidence of the impact of the breach, the acquisition value of Yahoo decreased by $350M from the time the breach was announced to when the merger with Verizon closed. Enforcement actions taken under data protection laws also relate to cybersecurity issues. For example, the UK’s Information Commissioner Office (ICO) issued in July 2019 a notice of intention to fine British Airways $230 million and Marriott International $123 million, both under the General Data Protection Regulation (GDPR) for a data breach. The ICO criticized British Airways for its “poor security arrangements” and claimed that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” These are but two examples of the strategic importance that must be given to managing cyber risk. ROLE OF THE CISO
“Data breaches” have become part of the vernacular. They affect a broad spectrum of society. In response, organizations are reevaluating how they handle and heighten information security and
management responsibilities. The Chief Information Security Officer (CISO) role represents a growing leadership focus. This is a positive and essential trend. One question is, how would an organization reach a level of maturity such that the CISO might have a more significant role in the business decisionmaking process? Creating a close relationship with the GC is a clear option. A successful corporate strategy is not to have concentrated profit with miscalculated risk. A cyber incident is the best evidence of such a gross miscalculation of risk. The unfortunate truth is that a CISO’s value may only be fully realized when an incident occurs. The CISO can become a crucial driver of not only digital transformation but also risk management. Effective information security practices are vital both in preventing a successful incident and responding to one. Legal professionals understand risk management and its related urgency. Not being aware of statutory requirements can prove costly to the companies, not to mention the harm to reputation that may follow. Again, a clear argument for promoting GC/CISO alignment. GC’S OFFICE OFFERS VISIBILITY
The GC is broadly aware of an organization’s risks and objectives and maintains a good understanding of its clients and internal stakeholders. Hugh TowerPierce, CSO at Oscar Health, believes that “reporting lines for CISO and CSO roles other than to the technology executive often carry a progressive perception.” When the security organization reports to executives such as the GC or the CFO, there is an inherently stronger alignment on risk management responsibilities. Security’s relationship with the company’s technology leadership will always be key to security success,
