Jun. 3, 2020

How CISOs Can Use Digital Asset Metrics to Tell a Coherent Cyber Story to the Board

Cyber events are now among the top three triggers for derivative actions against directors and officers. To rebut those claims, boards need CISOs to provide them with useful metrics and benchmarks that demonstrate an understanding of the exposure the company faces and how it mitigated risk. This is cyber resiliency, explains Cyber Innovative Technologies CEO Ariel Evans in this guest article. Evans details questions the board should be able to answer and the underlying metrics to support those answers, with instructions for calculations and examples of how they can play out in the context of ransomware strategy, vendor risk and budgeting. See also “Privacy Officers Share Best Practices for Reporting to the Board” (Jul. 24, 2019).

Re-Evaluating Cybersecurity in the Remote Work Environment

Bad actors continue to take advantage of remote working situations. A recent ACA Compliance Group program featuring partner Chad Neale and associate director Noah Fox outlined recent trends in cyber attacks and how hackers and others are taking advantage of potential weaknesses arising from businesses’ responses to the coronavirus pandemic. In this article, we highlight concrete examples of coronavirus-related cyber attacks they discussed, along with practical guidance for identifying and addressing vulnerabilities. See “Companywide Work From Home: Six Cybersecurity Considerations,” (March 25, 2020).

Preserving Privilege in Audits and Internal Investigations

While the attorney-client privilege generally applies to communications between an attorney and a client for the purpose of seeking or rendering legal advice, no approach to preserving privilege in an audit or internal investigation will be “bulletproof,” cautioned Michael B. Hayes, a partner at Montgomery McCracken. In a recent Strafford program, Hayes and Baker Donelson shareholder Kenneth E. McKay took a deep dive into how and when privilege and attorney work product protections apply in connection with internal investigations and audits and the critical issues that arise when claiming those protections. We present the key takeaways from their presentation. In an upcoming article, we will further address the privilege issue with our in-depth analysis of a Virginia federal magistrate’s ruling in In Re: Capital One Data Security Breach MDL that a cybersecurity firm’s incident report is discoverable. See “Preserving Privilege in Communications Involving In-House Counsel” (Feb. 27, 2019). 

Quarles & Brady Welcomes Data Security Partner

Greg Leighton has joined Quarles & Brady’s data privacy & security practice. He has extensive experience counseling clients on domestic and international privacy compliance programs, data security, the movement of data across international borders and a wide array of transactions that involve technology or data flows. For more from Quarles & Brady, see “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part Two of Two)” (Jan. 11, 2017).

Former AUSA and Chief of Cybercrime Unit Joins Jones Day in Boston

Amy Harman Burkart, a former Assistant U.S. Attorney and Chief of Cybercrime Unit in Boston, has joined Jones Day as of counsel in its cybersecurity, privacy & data protection practice. For more from Jones Day, see “Choosing Cybersecurity Insurance in a New Risk Environment” (Nov. 6, 2019).