How to explain the legal aspects of cybersecurity to the Board of Directors?

How to explain the legal aspects of cybersecurity to the Board of Directors

by Peter Craddock, Counsel and head of the IT, Data Protection & Cybersecurity team at NautaDutilh

Forget the clichés – cybersecurity is not just an IT issue, it is a company-wide issue. From the chair(wo)man of the Board of Directors to the newest intern, every person in an organisation can be both a cybersecurity threat and a cybersecurity asset.

Given that 30-35% of cyber threats tend to result from actions of well-meaning employees, it is crucial for organisations to ensure that the proper strategy is deployed and that the risk of individuals being a cybersecurity threat is limited as much as possible (see CrowdStrike Services Cyber Front Lines Report, 2019, as well as Deloitte, The future of cyber survey 2019).

The Board’s role in this respect is multi-faceted, with two key points of attention:

• The Board is in charge of setting a strategy for and overseeing a company-wide approach to cybersecurity. Not the actual implementation – that is for the Management to determine – but under no circumstances is “IT will do this fine” an appropriate strategy.
• Individually, directors can have access to commercially sensitive information or even certain forms of personal data. To be a shield against threats rather than a liability, directors must be aware of the risks and of ways to improve their cyber-hygiene.

1. Legal and compliance advisors play an important cybersecurity role

Defining a strategy and having good cyber-hygiene do not require directors to be IT experts; however, a successful approach always relies on information – such as a good overview of the risks and opportunities – and openness to advice.

Today, organisations generally recognise the importance of cybersecurity. According to the Microsoft and Marsh Global Cyber Risk Perception Survey of 2019, 79% of respondents ranked cyber risk as a top-five concern for their organisation.

To help them devise a strategy, Boards are quick to turn to technical advisors (in particular individuals such as the Chief Information Security Officer or Chief Technology Officer), who have a critical role to play in making directors aware of the technical risks and possibilities and in sharing input on what has been achieved each reporting period.

Yet legal and compliance advisors have an equally critical role to play. Cybersecurity risks are not merely technical in nature but can also be legal: failure to comply with the rules of cybersecurity law can lead to liability towards third parties and even administrative or criminal fines. A successful cybersecurity strategy therefore needs to consider legal risks.

In this context, legal and compliance advisors can help Boards define and refine their cybersecurity strategy through different means, such as training and reporting.

We have included below various suggestions on how to put these means into practice.

2. Training: improving the level of cyber-awareness among the Board

Cybersecurity law training covers various topics and takes many forms. It is therefore crucial for you as legal and compliance advisors to choose the mode and content that best fits your Board.

a) Legal framework

Organise training on the legal aspects of cybersecurity for the Board so that directors are aware of the principles that must underpin its cybersecurity strategy.

The selection of topics is crucial given that cybersecurity law is more than just the GDPR. Aside from data protection, there are sector- or activity-specific rules (e.g. finance and telecommunications sectors among others, but also providers of essential services or certain kinds of digital services), as well as cybercrime-related legislation. There are rules in relation to security measures as well as rules regarding the handling of security incidents (personal data breaches being one form of security incident); there are rules on what constitutes a cybercrime and what is authorised security research or ethical hacking. In the UK, there is even a legal initiative that would impose specific, technical security requirements for all new Internet-of-Things devices (notably a unique password for each device that is not resettable to a universal factory setting).

Whichever topics you choose, make their impact clear. The Board may appreciate theoretical exercises and presentations, but without illustrations of what this means for the organisation – or for directors individually – they may struggle to assimilate your training.

Finally, try to involve the information security team in the preparation of such training, not only to ensure the technical accuracy of any factual explanations given but also to help you understand references to certain concepts or technical standards if they seem unfamiliar.

b) Fines

Talk about fines during these trainings as well – not to scare directors, but to make the risks tangible. Recent fines imposed by data protection authorities across the European Union for inadequate security measures help highlight the importance of good cyber hygiene. For instance:

• in Germany, a telecommunications provider was fined 9.55 million EUR for failure to have sufficient controls in place for access to customer data;
• in Bulgaria, the National Revenue Agency was fined 2.6 million EUR for similar failures.

In other words, on top of the financial and reputational damage they caused for the organisations in question and the damage to affected individuals, these security failures highlighted infringements of cybersecurity laws and led to high fines. It is also worth noting that proper logical access controls, i.e. restrictions on who sees what, are one of the first building blocks that need to be examined when devising a system, database or application.

These eye-catching amounts help focus minds, as they show that cybersecurity is not a dead weight, a mere cost. Aside from the many other benefits in terms of protection of assets, even a little investment in cybersecurity can help avoid fines and the reputational fallout they can cause.

c) Incidents

If you can, contemplate carrying out incident simulations or workshops with Board involvement. A dry run allows stakeholders to try out an incident response plan and think about possible solutions to problems. In addition, it helps limit the sense of panic and intense pressure that many feel when they first have to deal with a major incident.

For instance, a security incident or data breach workshop might lead the Board to examine tricky issues in a practical manner, such as the question of whether to pay or not if the organisation is paralysed by a ransomware attack or what steps to take in case of corporate espionage.

2. Reporting, to help with awareness of internal & external developments

Reporting on cybersecurity law will often be included in reports from Management, which can cover both internal status updates and external legal changes.

a) Internal status updates

In terms of internal developments, reports from Management have to help the Board determine whether the organisation is properly addressing both potential and actual legal risks.

Legal and compliance advisors therefore have to summarise for these reports the state of compliance with cybersecurity law, points of attention and any ongoing contacts with regulators or disputes.

It is important to stress the broader repercussions cases before regulators can have. The Belgian Data Protection Authority, for instance, has refined its approach in relation to the naming or anonymisation of organisations in its published decisions, but an imprudent approach can lead to improperly anonymised decisions or decisions with full identification – with all the reputational fallout that this can cause. In case of a significant and potentially damaging decision in public relations terms, legal and compliance advisors have to highlight these risks as well.

b) Impact of legal changes

Reporting is also crucial to keep the Board up to date on new legislation and case law and how they may impact the cybersecurity strategy (obviously, this can also take the form of refresher trainings).

Data protection case law is a key source in this respect, due to the many ongoing cases before the Belgian Data Protection Authority and other supervisory authorities within the European Union that are based on data breaches or security failings.

c) Collaboration with information security teams

As these reports aim to help the Board (re)evaluate its cybersecurity strategy, it is best to establish a dialogue between legal and compliance advisors on the one hand and information security teams on the other hand to provide combined and pragmatic input.

To be successful, though, such collaboration has to be recurrent and not limited to the preparation of one report – the Board will benefit from a more comprehensive overview of the risks and measures taken, while the organisation will benefit from greater alignment in the implementation of the cybersecurity strategy.

3. Cybersecurity is a process, not a state

By way of closing comments, it is important to stress that full security is an illusion. Legal and compliance advisors can therefore not require full cybersecurity for compliance; a risk-based approach will invariably be required.

Likewise, the Board will have to acknowledge that not all risks can be averted. In such a case, the role of legal and compliance advisors involves suggesting ways to handle or mitigate those risks, taking into account applicable legal requirements.

You yourself may need a hand along the way – in that case, feel free to reach out for support.