Grant Thornton LLP recently hosted a webcast to discuss cybersecurity and its role as an element of an enterprise-wide corporate governance program. The online event featured Todd McClelland, Partner in the Intellectual Property practice at Jones Day, as well as Johnny Lee
, Managing Director, Forensic, Investigative and Dispute Services practice, at Grant Thornton, with Mark Sullivan
, Grant Thornton’s Principal and National Practice Leader for Investigations, who also served as moderator.
The webcast followed Grant Thornton’s 2014 Corporate General Counsel Survey
, conducted by ALM Marketing Services to gain further insight into in-house counsels’ assessment of cybersecurity and data privacy.
Responsibility for cybersecurity
One of the key issues facing companies that are trying to improve cybersecurity is determining who should be responsible for it. Considering that there are numerous elements of a cybersecurity function, including risk management, response planning and strategy, the speakers concluded that a cross-function team is probably best. Webcast attendees were asked their opinion as well. Approximately three out of four attendees said that “a cross-functional team representing multiple business units” should be responsible.
One point the speakers were sure to make is that the legal department should not be primarily responsible. As McClelland explained, “Businesses are figuring out how to exploit information. IT is trying to secure it. The legal department just wants it to all go away.”
A cross-functional approach starts with the board of directors, which may have fiduciary responsibilities and can no longer “stick their heads in the sand and then avail themselves of the ‘business judgment rule,'” according to McClelland. Additionally, boards are being held accountable.
Accordingly, it is the responsibility of the board to set the culture for the organization. From there, it is the responsibility of management and its designees within the company to implement the board’s vision and build a program that fits the culture. The board should work with the management team to establish a risk program and budget. Management then should carry out its obligations, following a tactical plan created by a chief information security officer (or someone in a similar role), with inputs from the cross-functional team referenced above. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity illustrates a solid process for how the different levels should work together.1
The panelists both agreed that, as a general proposition, the legal department is responsible for ensuring that the program is compliant with all laws and regulations, but a cybersecurity program should not be about compliance alone; properly derived, it is designed to manage risk. In addition to legal, the cross-functional team should include IT, finance and operations. Based on the industry — and how highly regulated it is — internal audit, marketing, agent relations and vendor management should perhaps be included as well. Communications, investor relations and business unit leads may also want to get involved in order to make cybersecurity a truly enterprise-wide function.
It is important to note, however, that while it is optimal if the tone is set at the top, the catalyst can come from anywhere in the organization. Sometimes it starts with a focus on ensuring compliance and transforms into a risk management initiative. As McClelland put it, “Don’t point at someone else and think it’s their job. The buck does stop with the board, but it’s everyone’s obligation.”
Responsibility for privacy
As Lee remarked, many people may conflate “privacy” and “security,” but they are not exactly the same thing. And because privacy is a more distinct discipline, it makes sense to consolidate the responsibility.
So while the privacy program at the webcast attendees’ organizations is managed by a wide array of different positions — “cross-functional group” was the most common answer at 31.6% — the speakers were in agreement that having a designated chief privacy officer CPO is ideal. The panelists likewise agreed that one primary benefit of having a (CPO) is to have the ability to demonstrate that the privacy program is being taken seriously, should the company later be investigated. “A regulator is going to be comforted if the position exists,” according to Lee, but the role must not be simply window dressing. The panelists agreed that, if the CPO does not have appropriate authority and understanding, having someone serve in this role may hurt the organization much more than it helps.
It is also critical to not let the wrong person own the privacy function simply because he or she has the capacity for it, which Lee said gives the appearance that the company has simply “checked the box.”
“The responses reflect the way different organizations are handling privacy,” said Lee. “There has not been a set method. There is a trend toward having a CPO, but the most important thing is to have someone at the C-level with responsibility. That person can be a CPO or can come from audit, legal or anywhere else.”The NIST framework
The speakers spent some time discussing the NIST Framework for Improving Critical Infrastructure Cybersecurity. According to the NIST website, “The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.”
According to the speakers, the framework can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business and technological approaches to managing that risk. It uses a common language to address and manage cyberrisk in a cost-effective way that does not place additional regulatory requirements on businesses.
There are five key elements to the NIST framework: Identify, Protect, Detect, Respond and Recover. At a high level, these elements cover a logical progression, ranging from preparation to investigation to remediation and post-incident activities. While not binding, this framework provides a useful rubric, within which companies can begin to identify where within that progression they may need focused attention in the short, medium and long term.
While the NIST framework can be extremely useful, it is important to understand that, while it is based on existing standards, guidelines and best practices, it is not a law and there is no legal requirement to implement it. However, the NIST framework has taken on some of the attributes of a law. McClelland pointed out that the framework “is a consensus-based document, so it represents the industry standard, although it is not a regulatory standard.”
However, courts, regulators and even consumers may hold institutions accountable for failures that could have been prevented if the framework had been fully implemented. The speakers agree that following the NIST framework allows companies to illustrate that they are acting reasonably, and to not follow it is something that plantiff’s attorneys might use to score points against the company in a civil action.
In many ways, Lee said, the NIST framework is akin to the company code of conduct and that policy’s relation to the federal sentencing guidelines; namely, it helps mitigate the risk that someone might say you are not acting reasonably. Lee went on to liken this to Pascal’s Wager, the philosophical argument that one would be wise to conduct one’s affairs as though God exists, whether or not one actually believes in God. As Lee put it, “Whether you believe the NIST framework has the force of law or not, if you buy in and deploy against that standard of diligence, you gain the benefits of following the law and you are likely to meet a reasonableness standard every time.”
Managing cybersecurity risk
Finally, the speakers discussed the best methods for managing cybersecurity risk, citing three effective methods:
“This is where you bring Pascal’s Wager back,” Lee said. “Cybersecurity is so multifaceted it can be defined 100 different ways. There can be 54 elements just relative to privacy laws at state and federal levels. This is in addition to duties of the board, class-action litigation risks and much more. The first step is determining what cybersecurity means for your organization.”
Leveraging the NIST framework
Making sure to remain in compliance with cybersecurity standards and laws
Continuous monitoring and prevention across the entire organization
Likewise, there are different ways to manage the risk. Some companies are willing to accept some risk; others wish to mitigate it all. Some will choose to address the threat, while some try to minimize the impact by getting rid of as much data as possible. Many companies are seeking to insure against the risk.
Whatever the organization’s philosophy and level of tolerance, preparation is the key. Make sure there is a strategy in place and it aligns with the overall business strategy. Do a compliance gap analysis and create or review policies, procedures and incident response plans. Make sure that key stakeholders meet regularly. Review insurance policies and key vendor contracts. Having a data governance plan in place and making sure it’s regularly reviewed can be the difference between an “incident” and a “disaster.”
And perhaps most importantly, remember that compliance does not equal security. The goal is not just to be in compliance, it is to protect against and properly respond to a breach. “All of these strategies need to be employed together. Therein lies the difficulty in trying to manage cybersecurity,” said Lee.
Download the PDF
National Managing Partner, Forensic and Valuation Services
T +1 602 474 3440
Principal, Fraud and Investigation Services Leader
T +1 312 602 8110
Partner, Litigation and Dispute Services Leader
T +1 212 542 9810
Principal, Global Investigations and Anti-Corruption Services Leader
T +1 703 847 7519
Partner, Valuation Services Leader
T +1 212 542 9574
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.