Editor’s note: The following is a sponsored blog post from Hyperproof.
In today’s environment, regulatory enforcement and scrutiny around companies’ security programs and other types of compliance programs (e.g. anti-money laundering; knowing your customers) has intensified. A recent survey of over 1,000 IT security, risk and compliance professionals found that companies are tightening governance over matters of cyber risk and focusing on more transparency and communication around compliance and risk throughout their organizations. This includes CISOs and legal teams, who have traditionally had long-standing communication silos.
With an increase in regulatory burden and more headline-making legal matters than ever, the relationship between CISOs and legal teams is changing — possibly for the better. CISOs are actively seeking out counsel to make critical decisions like adapting to new regulatory burdens, purchasing cybersecurity insurance and addressing liability in case of a breach.
In 2022, some CISOs were visibly held accountable in headline-making legal matters, and they are worried. Several companies made headlines in 2022 for security breaches, failures and regulatory violations, including Joe Sullivan/Uber (which we’ll discuss more below), Aerojet Rocketdyne, Drizly, and FTX. In response, the way cybersecurity experts are communicating with the C-Suite is changing.
How the Joe Sullivan/Uber Case Changed the Relationship Between CISOs and Legal Teams
In October 2022, Joe Sullivan, the former Uber security chief, was found guilty of one count of obstructing the FTC's investigation of a breach of customer and driver records and failing to report this breach to government regulators. He was also found guilty of one count of misprision, or acting to conceal a felony from authorities.
One-third (33%) of Hyperproof’s survey respondents said that in the wake of the Joe Sullivan/Uber case verdict, their company has made changes to how the legal team works with their CISO to protect the company and its CISO. Companies are paying attention to these highly publicized news stories and are anxious about what they can do to avoid becoming one. Breaking down the long-standing silo between IT/security and legal teams is top-of-mind for many respondents.
Adapting to New Regulatory Burdens: How CISOs and Lawyers Can form a True Partnership
2023 is already a milestone year for increased regulatory burden for CISOs and their teams, but legal teams are stepping in to provide assistance. For example, the recently announced National Cybersecurity Strategy calls for one or more new laws to be drafted so that software vendors cannot avoid liability through a EULA, and companies are already preparing for future legislative action in this space.
They’re doing this by consulting their trusted counsel and asking about BAAs, SLAs and contracts that could impose liability on software vendors notwithstanding EULAs. Legal teams are provided insight on clauses that may allow companies to refer to documents outside of the “4-corners-rule” of the contract such as a new law once it is passed, or whether counsel may argue that a vendor used unfair bargaining power when getting their client to accept a EULA that allows the software vendor to avoid liability.
How Lawyers and CISOs Are Partnering on Cyber Insurance
The topic of cyber insurance is an age-old challenge. Purchasing cybersecurity insurance that actually covers what is needed has been a sore spot for CISOs over the last decade. The survey uncovered that counsel is stepping in to help executives parse insurance policies to make better-informed purchasing or renewal decisions. Here’s an example of when lawyers and CISOs would work together to make this decision:
Let’s say a company has purchased insurance to protect against a cyberattack like ransomware, but it hasn’t specified that this cyberattack could start via phishing due to a lack of effective email security controls. While the company might view this as a single cyber risk, some insurers might view the event as a financial risk. Thus, the cyber insurance purchased might not actually cover the ransomware attack as a result, or may require extensive and time-consuming discovery in an attempt to deny claims.
Another example is CISOs that don’t have D&O insurance. They are typically either directly named as a party or as an Officer of the company and are looking to retain private counsel to help secure D&O insurance. The insurance, which usually protects the company as well, covers legal fees, settlements and other costs. D&O insurance is the financial backing for a standard indemnification provision, which holds officers harmless for losses due to their role in the company. Many officers and directors are working closely together to provide both indemnification and D&O insurance.
Directors and officers may be sued for a variety of reasons related to their company roles, including:
- Breach of fiduciary duty resulting in financial losses or bankruptcy
- Misrepresentation of company assets
- Misuse of company funds
- Fraud
- Failure to comply with workplace laws
- Theft of intellectual property and poaching of competitor’s customers
- Lack of corporate governance
Examples like these are why CISOs and legal teams are working more closely together than ever (and becoming more aware of new threat actor behavior and its increasing creativity). CISOs and legal teams are now partnering to communicate risk to insurers in specifics by articulating that they want coverage for the loss of key business data via a cyber attack and the precise detective or compensating controls that they currently have in place.
To Wrap Up
Ultimately, this increase in regulatory burden might bring CISOs and legal teams closer together, which can only help a company stay secure. By eliminating communication silos, companies are also increasing the flow of data between teams to truly understand their compliance postures.
About the author: Kayne McGladrey, CISSP is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.