After Yahoo announced it’s mega breaches and it’s General Counsel was fired, this article is not much of a surprise.
John Reed Stark, head of his own consulting firm but formerly of the Chief of the SEC’s Office of Internet Enforcement and former Law professor at Georgetown Law and David Fontaine, CEO of the billion dollar risk mitigation firm Kroll, Yale Law graduate and partner at the law firm of Miller, Cassidy, Larroca and Lewin wrote a great piece recently.
The basic premise is that the General Counsel is going to be the fall guy when there is a breach, so he or she might want to get ahead of that freight train and plan for dealing with it, like any other risk such as financial reporting, sexual harassment and insider trading.
I highly recommend that CEOs, CFOs and Board Members read the entire article because a summation is not going to do it justice, but they bring up three key points. First a little background.
If, after reading the article, you are more confused than when you started, please contact me.
From the Yahoo Board after action report:
Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. …
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.
Here are the three recommendations:
#1 – The GC has emerged as the most logical and effective quarterback of data breach response.
We agree with this completely with a few caveats. Most GCs are not cyber security gurus. The GC needs to work in both internal and external cyber security experts in order to make the right decisions about the risk. While Fortune 500 firms have access to great cyber security teams, sometimes it is hard to be a prophet in your own land and outside expertise may be helpful.
In addition, based on precedent, to get the maximum benefit of attorney client privilege, engaging outside counsel may be mandatory.
#2 – Yahoo’s actions not only signal the evolution of a new standard of care for GCs when it comes to cybersecurity but also signal a vast expansion of GC oversight.
The article goes into great detail of what the GC should ensure is being done proactively.
Our takeaway is this. It is only a matter of time before the lawsuits are successful and the cost to companies of inaction becomes dramatically more than the cost of action. One strategy is to hide behind a boulder and hope the avalanche misses you, but based on experience here in Colorado, the avalanche usually wins.
Be prepared or be buried by the breach avalanche.
#3 – Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.
I could not say this better myself and in fact, have been saying just this for years.
Cyber, for most companies, whether private or public, is a much more likely risk than financial reporting failure and one that the public understands much better. If Target made errors in it’s financial reporting, most consumers would just shrug and move on. Compromise 50 million consumer credit cards and it takes years for Target to recover its reputation.
Information for this post came from LinkedIn.