Stay current on changes and developments in corporate law with a wide variety of resources and tools.
By Susan Bokermann
Jan. 20 — While cybersecurity is a well-known risk, corporations still are struggling with how to address it internally in terms of compliance and governance, said Alexander H. Southwell, a New York-based partner at Gibson Dunn & Crutcher LLP.
At the same time, companies that have been victimized in cyber breaches often also become the targets of related governmental investigations, said F. Joseph Warin, a partner at Gibson Dunn's Washington, D.C., office.
“The yin and yang of that dilemma”—having to defend against both cyber attacks and regulators—is what we deal with every day, Warin said.
Southwell and Warin spoke at a Gibson Dunn webinar Jan. 20. They discussed how companies should prepare for a cyber attack, deal with the repercussions of an attack, and balance the regulatory and governmental demands.
The damage potential of a cyber breach has increased, Southwell said. He noted that some recent studies have shown that “the total organizational cost of data breaches in the U.S. is approaching $6 million on an average basis” for each breach. This damage includes loss of customer revenue, diversion of resources, handling the regulatory and litigation onslaught, and reputational damage.
In addition to the damage to the corporation, there also is the risk to corporate executives, Southwell said. As seen in the Target breach, the chief information officer lost her job, and shortly thereafter the chief executive officer was forced to resign. So the impact of a data breach also reaches the executive suite, he said.
“The risk is multi-faceted,” said Southwell. He noted that there is insider risk from employees who misplace laptops or send misdirected e-mails, either through negligence or intentional misconduct. There is also third-party risk from vendors or others with access to information. In addition, there is risk from nation-state actors.
Having the correct response to these risks is important, Southwell said, adding that where the cyber response is housed in a company depends on the culture of the organization and its risk profile.
Cyber response often stems from the general counsel's office because it is a traditional risk area and lawyers are trained to think about those kinds of matters, Southwell said. Cyber response involves many different parts of a company, including the technology department, the marketing department and the audit committee, and the general counsel is in a unique position to bring all of those people and departments together.
Southwell emphasized that interdisciplinary teams are a good way to handle the issue. Generally, the more cyber experience an in-house team can have, the better, he said. Having individuals with security clearances within the team also can help in working with law enforcement or regulators during the government's investigation of a cyber attack.
Another area that requires collaboration amongst various departments and individuals within a company is supply chain risk, Southwell said. With increasing reliance on third parties to handle certain aspects of any given company's business, and an increase in expansion of companies into new geographies, it's important to consider the cyber risks involved in supply chains and contractors, he said.
An increasing number of derivative actions are being filed in the wake of data breaches, Southwell continued. In that light, it's important to show that the board of directors is exercising the correct oversight, he said.
A threshold issue when thinking about cybersecurity from a board perspective is the framework, Southwell said. Which cybersecurity framework a company uses often depends on its industry. The National Institute of Standards and Technology's framework is emerging as the standard because it has the administration's backing, Southwell added. But the big picture is thinking about how you frame the issues, thinking about your risk, making sure oversight is in place and simulating a breach, he said.
A company must ensure that a breach response plan is in place, and then dust it off and test it out, Southwell said. Only by testing will you get a sense of how it will play out.
On the regulatory front, Southwell observed that a lot of “cops” are going to come in the door after a cyber breach. He also noted that going forward, the government will be promulgating more cyber regulations.
The U.S. has a state data breach notification regime that mandates disclosure to state attorneys general, Southwell said. However, there is federal legislation pending that would preempt this. The Federal Trade Commission is the agency traditionally focused on cybersecurity, but the Food and Drug Administration has new cybersecurity regulations, and there is potential new legislation pending related to automobile manufacturers, he said.
“It's a juicy target,” Warin added. “When you have a data breach, everybody wants to pile on.”
The Securities and Exchange Commission, specifically, has had a keen interest in cybersecurity, Warin continued.
The SEC Office of Compliance Inspections and Examinations has conducted a first-round of examinations of broker-dealers and investment advisers, Southwell said. The results of these examinations show that such entities have done a good job of maintaining cybersecurity compliance policies and undertaking risk assessments. This is the SEC's way of assuring that regulated entities have the correct data-loss prevention tools at their disposal, as well as training and response planning, Southwell said.
There are European regulations to consider as well, Southwell continued. The General Data Protection Regulation announced by the European Commission in December 2015, replaces the 1995 Data Privacy Direction, which was the first legal framework for personal data across member states. The new regulation is not effective until 2017, but it aims to standardize data privacy across member states, he said.
To contact the reporter on this story: Susan Bokermann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Yin Wilczek at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)