The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Boards of Directors

  • From Vol. 4 No.24 (Aug. 8, 2018)

    Essential Cyber, Tech and Privacy M&A Due Diligence Considerations

    Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.9 (Apr. 25, 2018)

    Pillars of Effective Breach Detection, Response and Remediation

    Should board members participate in testing incident responses plans? At Skytop’s recent Cyber Risk Governance conference, panelists were divided on this question and others related to breach detection, response and remediation. The Cybersecurity Law Report’s Senior Editor Jill Abitbol moderated the panel, “Detection, Response and Remediation: The Pillars of Effective Cyber Breach Response,” which featured Richard Buchband, senior vice president, general counsel and secretary of ManpowerGroup Inc.; Mark Clancy, CTO of Emergynt and founder of Cyber Risk Research; Karen Morris, an independent consultant; and Justin Fier, director for cyber intel and analysis at DarkTrace. See also “Goodbye to the Blame Game: Forging the Connection Between Companies and Law Enforcement in Incident Response” (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    How to Handle Rising Expectations for Board Cyber Education and Involvement

    Cybercrime is a risk management issue that affects the entire organization and requires board oversight. Although directors know that they need to stay informed about cybersecurity, keeping up with it in the complex, rapidly evolving world of IT is often a challenge. In response to expectations from shareholders and regulators, boards are becoming more informed and engaged in their company’s cybersecurity risks and efforts. At a recent PLI panel, moderator Amy Leder, a partner at Holland & Knight, was joined by Austin Berglas, global head, cyber forensics and incident response at BlueVoyant; Joel Rubinstein, a partner at Winston & Strawn; and Nancy Saltzman, chief compliance officer at EXL. Among other topics, panelists discussed the board’s role in overseeing cybersecurity risk and key questions directors should be asking management and portfolio companies. See also “Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)” (Jan. 31, 2018); Part Two (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part Two of Two)

    As large-scale data breaches become regular occurrences, and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In this second part of a guest article series, Shearman & Sterling attorneys Jeewon Kim Serrato, Marc Elzweig and David Lee draw on the recent cases examined in part one and identify five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)

    Post-breach litigation can be costly and the rise of one type in particular shareholder derivative suits filed against boards of directors of companies that have suffered data breaches merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Preparing For Ransomware Attacks As Part of the Board’s Fiduciary Duty

    Managing enterprise cybersecurity risk is a key obligation of a company’s general counsel and board of directors. The rapidly increasing frequency and sophistication of ransomware attacks in particular have made them a pervasive and challenging part of that enterprise risk. Debevoise partner Jim Pastore spoke with The Cybersecurity Law Report about what GCs and boards need to know about ransomware and how those stakeholders can effectively fulfill the board’s cyber-related fiduciary duty to the company. Pastore will be a panelist at Skytop Strategies’ Cyber Risk Governance conference on March 16, 2017 in New York. An event discount registration link is available to CSLR subscribers inside this article. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    A CSO/GC Advises on How and When to Present Cybersecurity to the Board 

    As more boards come to understand cybersecurity as a critical issue that cannot be ignored, briefings on the topic have become more common. Those with the responsibility for presenting such briefings must understand what information is essential for the board to know and how to communicate it effectively. Dr. Chris Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company, and the former CPO, SVP for the Royal Bank of Scotland’s U.S. banking operations, spoke to The Cybersecurity Law Report about his experiences briefing the board on cybersecurity and shared his insights on the most effective reporting structure, how to obtain buy-in and budget and the importance of communicating business advantage. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Study Analyzes How Companies Can Overcome Cybersecurity Challenges and Create Business Value

    Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part Two of Two) 

    Through engagement, risk assessment, and continual review of cybersecurity risks and solutions, directors can both mitigate their own liability as well as the data security and litigation risks threatening the company. Part two of our two-part series on the board’s critical role in cybersecurity and data privacy issues addresses: how the board can follow up on management presentations; steps it should take after a breach; recent post-breach derivative suit caselaw; and how the board, in-house counsel and management can ensure a strong defense to such derivative actions. Part one provided best practices for management and in-house counsel to educate the board and keep the directors updated on cyber-related issues. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)

    “Cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors,” Ivan Fong, senior vice president, legal affairs and general counsel of 3M Company, advised. Understanding the role of the board, and counsel’s role working with the board, is integral for managing cybersecurity risk effectively. Part one of this two-part article series examines the increased role of directors in ensuring companies are appropriately protected against cyber threats and how management, including in-house counsel, should communicate with the board and keep it updated and informed. Part two will address the litigation risks faced by the board and individual directors and how to limit that liability, including details about the role directors should play to satisfy their fiduciary duties. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Defining, Documenting and Measuring Compliance Program Effectiveness

    The risks of having a cybersecurity compliance program that exists only on paper are well-known, but measuring whether the program is actually working, how it is working and documenting those findings for internal and external stakeholders present challenges. A recent program at the SCCE Annual Compliance & Ethics Institute considered how compliance professionals can measure and document steps taken to demonstrate the effectiveness of their compliance programs for cybersecurity and other areas of law. The program featured Scott Hilsen, a managing director at KPMG’s forensic unit and Jean-Paul Durand, a vice president and chief ethics and compliance officer at Tech Data Corporation. See also “Eight Ways Compliance Officers Can Build Relationships With the ‘Middle’” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats

    How to handle five data privacy danger zones; the board’s role in cybersecurity; public relations strategies after a breach; and clauses to include in cloud vendor contracts were among the hot topics Weil, Gotshal & Manges attorneys discussed at a recent conference.  Partners Carrie Mahan Anderson, Jeffrey S. Klein, P.J. Himelfarb, Jeffrey D. Osterman and Michael A. Epstein shared their advice in the panel discussion.

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?

    A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach.  In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.

    Read Full Article …