*This post originally appeared in Law 360 on October 24, 2017.
We’ve seen it happen time and again. When a company experiences a major data breach or hacking incident, media attention turns to speculation or allegations about the company’s past history of underinvesting in cyber defenses, its supposed culture of cyber complacency, or its history of unaddressed (but, in retrospect, allegedly clear) vulnerabilities. New information may come to light indicating the victimized company suffered previous breaches months, or years, earlier. Rumors of cyber-inadequacy gain currency among current and former employees and, ultimately, regulators and plaintiffs. Sometimes (but not always), these rumors, allegations, supposition and speculation even turn out to be true.
Company boards, CEOs and general counsels cannot, of course, categorically prevent either breaches or rumors. They can, however, engage in probing internal due diligence of their companies’ cyber governance and compliance posture before it is too late — that is, before a cyber event occurs. Today companies commonly conduct technical audits of their defensive cyber posture, but it is not until a cyber incident occurs that they review their internal processes, reporting mechanisms, compliance culture, and other aspects of corporate governance, to assess whether — from a legal standpoint — they are well situated to defend themselves in enforcement proceedings or litigation should a breach occur. A cybersecurity legal governance assessment (or CLGA) can prepare companies for, and help mitigate, a range of cyber legal risks that companies may face after an adverse event.We’ve seen it happen time and again. When a company experiences a major data breach or hacking incident, media attention turns to speculation or allegations about the company’s past history of underinvesting in cyber defenses, its supposed culture of cyber complacency, or its history of unaddressed (but, in retrospect, allegedly clear) vulnerabilities. New information may come to light indicating the victimized company suffered previous breaches months, or years, earlier. Rumors of cyber-inadequacy gain currency among current and former employees and, ultimately, regulators and plaintiffs. Sometimes (but not always), these rumors, allegations, supposition and speculation even turn out to be true.
Growing Expectations of Director-Level Responsibility for Cyber Legal Compliance
Responsibility for corporate cybersecurity extends from the chief information security officer’s office, to the C-suite, to the corporate boardroom. To be sure, expectations of director-level engagement in and responsibility for managing cyber risks are growing. Regulators have placed particular obligations on boards for aspects of corporate cybersecurity compliance. The U.S. Securities and Exchange Commission has issued specific guidance on disclosures related to cybersecurity risk and incidents and the manner in which boards exercise responsibility for overseeing and managing risk. Shareholders have in recent years brought derivative actions against companies that have experienced cyber breaches seeking to hold boards liable for failure to appropriately oversee cybersecurity risks. Under the Delaware Chancery Court’s Caremark standard, company boards must assure themselves that the company has, among other things, an information and reporting system that is “reasonably designed to provide to senior management and to the Board itself timely, accurate information sufficient” to permit “informed judgments” about legal compliance. Legislators are likewise interested in the cybersecurity obligations of boards.
Regardless whether their companies possess potentially vulnerable consumer data, valuable trade secrets, intellectual property, or confidential business information; own or operate critical infrastructure; or rely on essential computer networks or information systems, boards have recognized the criticality of cyberrisks to their businesses. Yet despite having processes in place for managing cyberrisks and legal compliance, a recent study shows that many boards have low confidence in the effectiveness of their procedures. The lack of confidence, moreover, may be warranted. For example, a 2017 risk alert from the SEC’s Office of Compliance Inspections and Examinations found that a number of investment firms surveyed “did not appear to adhere to or enforce [cybersecurity] policies and procedures,” and in some cases “[h]igh-risk findings from penetration tests or vulnerability scans … did not appear to be fully remediated in a timely manner,” and risk assessments were outdated.
Cyber Security Beyond Cybersecurity: CLGAs
In today’s cyberthreat environment, even companies with exemplary technical defenses can (and likely will) be impacted by breaches. These breaches may be of a company’s own systems, those with whom they have data sharing arrangements, or their vendors. With regard to phishing, vulnerabilities can arise when either employees or online users have been phished. Once these events occur, questions immediately arise as to whether the company ignored red flags or had insufficient monitoring in place, outdated defensive protocols, or a culture of lax security.
A cybersecurity legal governance assessment would focus on the sufficiency of a company’s governance protocols and its compliance with externally and internally applicable cyber standards. A probing exercise of internal cyber due diligence would enable companies to identify and address the latent risks that inevitably surface after an incident occurs — and to obtain the legal advice necessary to help the company prepare to defend itself effectively. The review should be designed to assist a company’s board, CEO and general counsel by: reviewing corporate policies for identifying, assessing, communicating about, and addressing cyberthreats; examining recent and historical cyber assessments and/or incidents; and conducting employee interviews. The assessment would take a hard look at how cybersecurity compliance processes work in practice and whether they, and the company’s cybersecurity compliance structures and culture as a whole, are well-postured to protect the company as a legal matter should a major incident occur. With all respect to the best forensic experts in the world, this type of assessment is about the quality (and effectiveness) of corporate governance and enterprise risk management, not technology.
A CLGA begins by identifying the relevant legal standards (or substantially analogous domestic and international requirements) for cybersecurity protective measures, disclosure/reporting obligations, fiduciary responsibilities and governance obligations, internal control systems, and applicable ethical conduct/corporate codes. The review should be designed to help detect, prevent and defend against significant compliance problems, regulatory investigations, foreseeable legal claims, and potential major cyber crises. Recent major breaches provide useful benchmarks and lessons learned. Other corporate compliance regimes also offer insights. Companies have long conducted proactive legal reviews of the effectiveness and adequacy of their fraud, False Claims Act, Foreign Corrupt Practices Act, antitrust, food and drug, and other compliance programs, drawing upon key criteria and standards outlined by the U.S. Sentencing Commission’s Organizational Guidelines, among other things. Because a CLGA is undertaken for the purpose of giving legal advice to the board and/or senior management, companies should consider the appropriate attorney-client privilege and work product confidentiality.
The investigation of an independent committee of Yahoo! Inc.’s board of directors completed in 2017 (in which our firm represented the board’s Special Cybersecurity Review Committee) is a good example of the kind of probing review that could benefit companies to undertake before the fact to help determine whether corporate structures are working as intended. After a searching look, as set forth in the company’s public 10-K filing, that review found that, “[w]hile significant additional security measures were implemented in response to [earlier cyber] incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
The goal of a CLGA is to ensure that management periodically takes a rigorous, independent, and appropriately skeptical, look at what it is hearing from its own reporting structures about the company’s cybersecurity posture and defenses. By doing this, management can also put the board of directors in the best position to exercise its oversight and strategic responsibilities for managing the company’s cybersecurity risks. The best governance structures and internal reporting systems should be designed to smoke out what a company’s technical experts are worried about, not what they (believe they) have under control. CLGAs can help determine whether sufficient compliance and governance structures are in place; whether too little — or too much — is making its way up the chain; whether a mosaic of past events, when viewed in total and in hindsight, points to larger problems; whether liability landmines and red flags have been disarmed; whether real-time communications perform to expectations; and whether the company’s internal documentation (in its language of risk acceptance and maturity tiers) may later be unfairly construed as pointing a finger of liability at the company. While the law does not require this kind of due diligence, companies would be well served by it. Just as threat intelligence and risk assessment are intrinsic to effective cybersecurity planning, governance assessment and intelligence about potential legal exposure can be critical to surviving post-incident scrutiny.
What It Will Look Like With 20/20 Hindsight
We often think of cybersecurity compliance as falling into two categories: pre-incident preparation and post-incident response. A CLGA has the advantage of being both. It is designed to see around corners to liability a company may face, but it does so with the advantage of hindsight based on a company’s real-life experience and the knowledge the company is already harboring in-house. Taking a look at a company’s track record in practice of dealing with more minor cyber incidents and risks it has encountered in the past, or potential areas of vulnerability it has identified, can provide valuable insights, beyond what tabletop cybersecurity exercises or technical audits can afford. Knowing in advance of a significant cyber incident what your company will look after a bright light is turned on it can be part of the best preparation for a breach. Don’t be afraid to ask what it is that can really hurt you.