Even an organization with a highly mature cybersecurity risk-management program needs to keep pace with the changing legal and business landscape, and staying ahead of this challenge starts at the top. Just when the dust had started to settle from the widespread WannaCry attack, the ransomware attack dubbed Petya spread internationally, impacting government and commercial entities, including law firms. Using a hypothetical scenario based on starting a new business line involving financial services, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, recently offered advice on how to develop an information security risk management program; which key stakeholders are involved in the governance of the program; and how the CISO should interact with the program. In this second installment of our two-part article series, we hear from the chief risk officer on ideas for program revitalization and minimizing risk and from the general counsel on understanding and implementing applicable laws, and all four stakeholders provide practical takeaways. Part one
set forth the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and strategy. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)
” (Jan. 20, 2016); Part Two
(Feb. 3, 2016).