“[General counsels] or internal compliance or privacy counsel will be better served to defend their company from litigation if they can clearly separate specific data sets that may have been compromised and those data sets that have not. Relying on your CISO’s effective data management and data inventory strategy is the single best way to understand your scope of liability after a cyberattack,” he adds.
Anderson says CISOs need both knowledge and contextualization and working closely with legal helps them shape their strategy in response to the regulatory environment and may even soften any penalties. “Regulators are often more lenient on enforcement actions when the attacked company took all the appropriate actions and demonstrated a good faith effort to build a data security program that contemplates privacy and regulatory requirements upfront,” he says.
With the increasingly complicated regulatory landscape, having legal interpretations and guidance is critical. Highly prescriptive regulations don’t tend to consider the context, which then moves the risk onto the person who writes the control list, according to Deloitte’s Owen. Whereas with principles-based regulations, the regulator is saying it wants the organization “to demonstrate it’s been through a thought process about it, rather than telling organizations what the control should be because it can’t write regulations that consider every single context of how information will be used,” he says. “You need to get an interpretation to make good business decisions.”
Owen, whose area of expertise is critical infrastructure, emphasizes the importance of legal guidance with principles-based regulations, as is the case in Australia. He argues there’s a lot of scope to spend a ton of money without really getting to why you are doing it and what is the clear linkage to the regulation. “You can do a wonderful risk management program, which actually fails because it doesn’t tie back to the current threshold tests around materiality that have been defined in law,” he says.
Having an interpretation of a threshold test is hugely beneficial in the event of an incident. “For example, knowing at what point you have to notify consumers it’s good to have that threshold interpreted before the incident rather than during the incident,” Owen says.
Hyperproof’s McGladrey agrees that CISOs don’t want to seek definitions for the first time with their legal advisors in the midst of an incident. “[Knowing those definitions] can make an incident response so much more pleasant. It’s still a terrible time, but you at least trust the person you’re working alongside,” he says.
Having legal onside can also help CISOs in negotiations with vendor, supply chain, or customer contracts. If there’s some proof required or contract terms, the CISO can get an opinion or advice before signing off on things that may be unnecessary or even unwise. “They might say: ‘We don’t need to disclose that,’ or ‘There’s no value in us to have an established policy on that,'” says McGladrey.
Legal counsel can help define risk tolerance
“Everyone has the same goal to make the company protected, whether it’s counsel, CISOs or management team within the company,” says Portner. The key is defining the risk tolerance the company is willing to accept and what this means in practice.
It goes to questions of whether certain security measures may create user fatigue, friction, or too many clickthroughs, and achieving an acceptable level of transparency. “Balancing what is reasonable and makes sense, but always keeping in mind, having transparency and honesty,” adds Portner.
While legal counsel won’t get to the level of recommending certain tools or platforms, they can provide advice on risk and potential liability. They can inform the risk conversation and help CISOs articulate the potential consequences of not investing in certain measures or taking specific protections.
The decision then becomes costing out how much to avoid the problem, or alternatively to transfer the problem to insurance. “That’s how they can help make the organization more secure, but it’s only through the counsel’s contributions to the risk conversation rather than the counsel directly owning making the organization more secure because that’s not in their purview,” says McGladrey.
Depending on the risk profile, CISOs may choose to partner with their counsel as a sounding board, making the final decisions themselves. Other CISOs may make recommendations but decline to be the final decision maker under advice from their counsel so as not to be singularly responsible, and therefore liable, if things go bad.
On the question of what personal responsibility CISOs hold, legal advice may be needed. In the US, CISOs need to know if they’re named, via their role or individually, on the directors and officers (D&O) policy, says McGladrey, to understand their potential personal liability if a suit is brought against the organization. If a CISO is not on the D&O policy, that doesn’t mean the corporation necessarily has to afford them extensive legal protections, he says. “This comes to having that relationship with your counsel and understanding what are they willing to cover. And what you need to retain personal counsel for.”
While some CISOs don’t work with counsel in any regular arrangement, only coming together if there’s a breach or incident, this may be unsustainable as the regulatory environment becomes more demanding. “As things become more contentious and more heavily regulated, that’s going to be a harder position to maintain,” McGladrey says.