Cybersecurity Both Governance, Regulatory Issue: Panel

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Susan Bokermann

Jan. 20 — While cybersecurity is a well-known risk, corporations still are struggling with how to address it internally in terms of compliance and governance, said Alexander H. Southwell, a New York-based partner at Gibson Dunn & Crutcher LLP.

At the same time, companies that have been victimized in cyber breaches often also become the targets of related governmental investigations, said F. Joseph Warin, a partner at Gibson Dunn's Washington, D.C., office.

“The yin and yang of that dilemma”—having to defend against both cyber attacks and regulators—is what we deal with every day, Warin said.

Southwell and Warin spoke at a Gibson Dunn webinar Jan. 20. They discussed how companies should prepare for a cyber attack, deal with the repercussions of an attack, and balance the regulatory and governmental demands.

Costs of a Breach

The damage potential of a cyber breach has increased, Southwell said. He noted that some recent studies have shown that “the total organizational cost of data breaches in the U.S. is approaching $6 million on an average basis” for each breach. This damage includes loss of customer revenue, diversion of resources, handling the regulatory and litigation onslaught, and reputational damage.

In addition to the damage to the corporation, there also is the risk to corporate executives, Southwell said. As seen in the Target breach, the chief information officer lost her job, and shortly thereafter the chief executive officer was forced to resign. So the impact of a data breach also reaches the executive suite, he said.

Multifaceted Risk

“The risk is multi-faceted,” said Southwell. He noted that there is insider risk from employees who misplace laptops or send misdirected e-mails, either through negligence or intentional misconduct. There is also third-party risk from vendors or others with access to information. In addition, there is risk from nation-state actors.

Having the correct response to these risks is important, Southwell said, adding that where the cyber response is housed in a company depends on the culture of the organization and its risk profile.

Cyber response often stems from the general counsel's office because it is a traditional risk area and lawyers are trained to think about those kinds of matters, Southwell said. Cyber response involves many different parts of a company, including the technology department, the marketing department and the audit committee, and the general counsel is in a unique position to bring all of those people and departments together.

Southwell emphasized that interdisciplinary teams are a good way to handle the issue. Generally, the more cyber experience an in-house team can have, the better, he said. Having individuals with security clearances within the team also can help in working with law enforcement or regulators during the government's investigation of a cyber attack.

Another area that requires collaboration amongst various departments and individuals within a company is supply chain risk, Southwell said. With increasing reliance on third parties to handle certain aspects of any given company's business, and an increase in expansion of companies into new geographies, it's important to consider the cyber risks involved in supply chains and contractors, he said.

Governance Considerations

An increasing number of derivative actions are being filed in the wake of data breaches, Southwell continued. In that light, it's important to show that the board of directors is exercising the correct oversight, he said.

A threshold issue when thinking about cybersecurity from a board perspective is the framework, Southwell said. Which cybersecurity framework a company uses often depends on its industry. The National Institute of Standards and Technology's framework is emerging as the standard because it has the administration's backing, Southwell added. But the big picture is thinking about how you frame the issues, thinking about your risk, making sure oversight is in place and simulating a breach, he said.

A company must ensure that a breach response plan is in place, and then dust it off and test it out, Southwell said. Only by testing will you get a sense of how it will play out.

Regulatory Considerations

On the regulatory front, Southwell observed that a lot of “cops” are going to come in the door after a cyber breach. He also noted that going forward, the government will be promulgating more cyber regulations.

The U.S. has a state data breach notification regime that mandates disclosure to state attorneys general, Southwell said. However, there is federal legislation pending that would preempt this. The Federal Trade Commission is the agency traditionally focused on cybersecurity, but the Food and Drug Administration has new cybersecurity regulations, and there is potential new legislation pending related to automobile manufacturers, he said.

“It's a juicy target,” Warin added. “When you have a data breach, everybody wants to pile on.”

The Securities and Exchange Commission, specifically, has had a keen interest in cybersecurity, Warin continued.

The SEC Office of Compliance Inspections and Examinations has conducted a first-round of examinations of broker-dealers and investment advisers, Southwell said. The results of these examinations show that such entities have done a good job of maintaining cybersecurity compliance policies and undertaking risk assessments. This is the SEC's way of assuring that regulated entities have the correct data-loss prevention tools at their disposal, as well as training and response planning, Southwell said.

There are European regulations to consider as well, Southwell continued. The General Data Protection Regulation announced by the European Commission in December 2015, replaces the 1995 Data Privacy Direction, which was the first legal framework for personal data across member states. The new regulation is not effective until 2017, but it aims to standardize data privacy across member states, he said.

To contact the reporter on this story: Susan Bokermann in Washington at sbokermann@bna.com

To contact the editor responsible for this story: Yin Wilczek at ywilczek@bna.com