Why and how CISOs should work with lawyers to address regulatory burdens

With regulatory scrutiny increasing, some CISOs are partnering with their organization’s legal counsel, seeking expert input to guide their compliance and risk minimization efforts. Chiara Portner, cybersecurity attorney with Hopkins & Carley, says lawyers play a crucial role in advising on risks and finding ways to mitigate them. “With the increasing regulatory scrutiny and burden, involving legal counsel in every step of the process helps companies navigate data privacy laws and security regulations effectively,” says Portner.

The push for stronger regulations is coming from two fronts: government and consumer pressure, says Portner. The demands to protect consumers and keep their data secure stems from the growing awareness among people about wanting their information protected. “Lay people are learning about privacy and security. They’re seeing more pop-ups and requests on websites or in apps and are starting to learn what those actually mean,” she says.

The government’s need to find and prosecute cybercriminals, many of whom reside in other countries, is shifting the burden onto organizations, according to Dave Anderson, vice president of cyber for insurance broker Woodruff Sawyer. “There has also been a contemporaneous paradigm shift such that companies who are attacked by cybercriminals are viewed less as ‘victims’ and more ‘negligent’ in their controls,” Anderson says.

As the consequences of data breaches to a company’s individual directors and officers such CISOs and general counsels are getting more severe, collaboration between information security and legal is becoming a baseline and reasonable minimum business practice, says Anderson. He argues that if it’s lacking, it could be viewed as demonstrating immense negligence in class action litigation and regulatory investigations, which could eventually be argued in a test case. “There is a high likelihood that criminal negligence theories will be tested over the coming years,” Anderson says.

The potential is something that CISOs need to take note of, according to Anderson. “CISOs should lean on their company’s general counsel or privacy officer to better understand the regulatory landscape their systems exist in,” he says.

Regulations redefining cyber risk as business risk

There’s an increasingly complex matrix of regulations organizations need to comply with: all the industry-specific ones, with financial and banking the most heavily regulated, along with healthcare and bioinformatics that deal with DNA, and the expanding list of sectors defined as critical infrastructure. There’s also the growing raft of country and jurisdiction-based requirements such as the European Union’s General Data Protection Regulation (GDPR), of which all global, online-operating organizations face.

David Owen, partner in cyber risk at Deloitte, says cyber regulations have evolved over the past few years to address the lack of control and decision-making in organizations. “Regulations aim to reduce discretion and enhance control measures,” Owen says. In particular, principles-based regulations require interpretation for effective implementation, he notes.

Owen also says having legal interpretations of terms such as “material harm” is incredibly important, ideally well before it’s needed in the case of an incident. Defining the scope of material harm changes the equation on the cost of cybersecurity spending. It helps CISOs write the business case demonstrating the value of spending money on cyber to lower the risk profile, not simply to add to the bottom line. “What regulation does for cyber leaders is to remove some of that management discretion,” he says.

As the regulatory burden increases, organizations and CISOs are having to take ownership of cyber risk, but it needs to be seen through the lens of business risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is no longer simply a technology risk. “The problem is, organizationally, companies have separated those two and have their business risk register and their cyber risk register, but that’s not the way the world works anymore,” says McGladrey.

He believes the Securities and Exchange Commission (SEC), the Federal Trade Commission, FTC and other regulators in the US are trying to promote collaboration among business leaders because cyber risks are functionally business risks. McGladrey thinks most CISOs understand this, but that doesn’t necessarily extend to the other leaders in the business. “Can we just please have one risk conversation with people and plan that out appropriately,” he says.

However, not all CISOs are naturally well versed in defining the business case of cyber risk, and McGladrey believes CISOs who are more adept at articulating the business value of doing cybersecurity will find it easier to achieve buy-in, while those with a more technical background that emphasize compliance over business risk may find it more difficult to get support and budget.

“The underlying problem here is that, historically, CISOs have come from an IT background. They’ve sounded like IT people, they’ve talked about IT things, and so a lot of that communication has either just not been of interest to the board or not of interest to senior executives, or the message hasn’t landed,” says McGladrey. “The challenge CSIOs have moving forward is how do we collectively speak to an increasingly diverse number of audiences about an increasingly diverse number of topics so that everybody understands what we’re saying? With a tailored message to each of them?”

In collaborating more closely with legal, CISOs can get the support they need to understand the regulatory environment for the organization and adopt the language of business risk to bolster the case for spending to meet the regulatory requirements. Yet CISOs can’t be expected to stay up to date across the most recent permutations of the legal system; they lack the time and the training, and it’s not their specialty. So how do they understand what’s changing and avoid enforcement penalties or even litigation that could result from non-compliance?

Working collaboratively with counsel, they gain insights into what’s going on in the larger world, and what risks they need to plan for. “CISOs should not be responsible for figuring out all the most recent permutations of the legal system,” McGladrey says. “It’s not really possible as a CISO to be looking over the horizon and reading law journals and trying to parse out if they need to modify the strategy or security roadmap and plans based on either the outcomes of pending litigation or potential legislation or potential regulatory change.”

“It’s having a discussion on say a quarterly basis about what’s coming up and what they need to be aware of. If you treat legal risks as another risk vector as a CISO, you’ll be better informed and able to make decisions proactively rather than reactively,” says McGladrey.

Holistic cybersecurity risk management with the help of counsel

Woodruff Sawyer’s Anderson argues that CISOs need holistic risk management, and this means identifying everywhere PII and protected data sits. “One must know what type and how much data they are responsible for,” he says. This includes cloud providers, third-party vendors, or other entities in a company’s supply chain that hold data. “Ultimately, the company collecting the information is always going to be responsible.”

“[General counsels] or internal compliance or privacy counsel will be better served to defend their company from litigation if they can clearly separate specific data sets that may have been compromised and those data sets that have not. Relying on your CISO’s effective data management and data inventory strategy is the single best way to understand your scope of liability after a cyberattack,” he adds.

Anderson says CISOs need both knowledge and contextualization and working closely with legal helps them shape their strategy in response to the regulatory environment and may even soften any penalties. “Regulators are often more lenient on enforcement actions when the attacked company took all the appropriate actions and demonstrated a good faith effort to build a data security program that contemplates privacy and regulatory requirements upfront,” he says.

With the increasingly complicated regulatory landscape, having legal interpretations and guidance is critical. Highly prescriptive regulations don’t tend to consider the context, which then moves the risk onto the person who writes the control list, according to Deloitte’s Owen. Whereas with principles-based regulations, the regulator is saying it wants the organization “to demonstrate it’s been through a thought process about it, rather than telling organizations what the control should be because it can’t write regulations that consider every single context of how information will be used,” he says. “You need to get an interpretation to make good business decisions.”

Owen, whose area of expertise is critical infrastructure, emphasizes the importance of legal guidance with principles-based regulations, as is the case in Australia. He argues there’s a lot of scope to spend a ton of money without really getting to why you are doing it and what is the clear linkage to the regulation. “You can do a wonderful risk management program, which actually fails because it doesn’t tie back to the current threshold tests around materiality that have been defined in law,” he says.

Having an interpretation of a threshold test is hugely beneficial in the event of an incident. “For example, knowing at what point you have to notify consumers it’s good to have that threshold interpreted before the incident rather than during the incident,” Owen says.

Hyperproof’s McGladrey agrees that CISOs don’t want to seek definitions for the first time with their legal advisors in the midst of an incident. “[Knowing those definitions] can make an incident response so much more pleasant. It’s still a terrible time, but you at least trust the person you’re working alongside,” he says.

Having legal onside can also help CISOs in negotiations with vendor, supply chain, or customer contracts. If there’s some proof required or contract terms, the CISO can get an opinion or advice before signing off on things that may be unnecessary or even unwise. “They might say: ‘We don’t need to disclose that,’ or ‘There’s no value in us to have an established policy on that,'” says McGladrey.

Legal counsel can help define risk tolerance

“Everyone has the same goal to make the company protected, whether it’s counsel, CISOs or management team within the company,” says Portner. The key is defining the risk tolerance the company is willing to accept and what this means in practice.

It goes to questions of whether certain security measures may create user fatigue, friction, or too many clickthroughs, and achieving an acceptable level of transparency. “Balancing what is reasonable and makes sense, but always keeping in mind, having transparency and honesty,” adds Portner.

While legal counsel won’t get to the level of recommending certain tools or platforms, they can provide advice on risk and potential liability. They can inform the risk conversation and help CISOs articulate the potential consequences of not investing in certain measures or taking specific protections.

The decision then becomes costing out how much to avoid the problem, or alternatively to transfer the problem to insurance. “That’s how they can help make the organization more secure, but it’s only through the counsel’s contributions to the risk conversation rather than the counsel directly owning making the organization more secure because that’s not in their purview,” says McGladrey.

Depending on the risk profile, CISOs may choose to partner with their counsel as a sounding board, making the final decisions themselves. Other CISOs may make recommendations but decline to be the final decision maker under advice from their counsel so as not to be singularly responsible, and therefore liable, if things go bad.

On the question of what personal responsibility CISOs hold, legal advice may be needed. In the US, CISOs need to know if they’re named, via their role or individually, on the directors and officers (D&O) policy, says McGladrey, to understand their potential personal liability if a suit is brought against the organization. If a CISO is not on the D&O policy, that doesn’t mean the corporation necessarily has to afford them extensive legal protections, he says. “This comes to having that relationship with your counsel and understanding what are they willing to cover. And what you need to retain personal counsel for.”

While some CISOs don’t work with counsel in any regular arrangement, only coming together if there’s a breach or incident, this may be unsustainable as the regulatory environment becomes more demanding. “As things become more contentious and more heavily regulated, that’s going to be a harder position to maintain,” McGladrey says.