According to frequent headlines in the press, cybersecurity is an issue that has seized the attention of corporate boards and the executives who report to them. The reality is probably more nuanced. Although the largest companies in some sectors are engaged in extensive risk management efforts, the broader business community in the middle market remains at best uneven in its response, says Matthew F. Prewitt, partner with law firm Schiff Hardin in Chicago, chair of Schiff Hardin’s data security and privacy team and co-chair of the trade secrets and employee mobility team. These companies, Prewitt says, have adequate resources to enhance materially their data security, and yet many continue to treat cybersecurity as a low-priority issue to be addressed internally by the IT department. Are middle-market companies in a state of denial?
Could a company be safe because the hackers have never even heard of them?
Matthew Prewitt: This wishful thinking is based on multiple common misperceptions. First, for many businesses, the single greatest cybersecurity risk is a company’s own employees, not sophisticated cybercriminals. Although dishonest or malicious employees are a significant risk, an even greater risk is often mere carelessness. Second, as the largest corporations have invested billions to enhance data security, some cybercriminals are believed to be targeting smaller companies, precisely because of their more modest security budgets. Third, many categories of cybercrime are not specifically targeted against any single business, such as a ransomware attack, a malware that freezes the infected hard drive or server and demands payment of a ransom in exchange for unlocking the malware.
If the most sophisticated companies cannot keep the hackers out, is increasing investment in security a waste of money?
Matthew Prewitt: Cybersecurity conjures images of high-priced experts implementing complex and expensive technology. In reality, the most important first step is training employees to be safe with technology the company already has in place. Training employees on basic password hygiene, avoiding use of insecure personal webmail and cloud storage, and spotting email phishing and similar scams can greatly increase security without purchasing any expensive new hardware or software solutions. For the human element of cybersecurity, the middle market has a significant advantage over the Fortune 100. Building a strong, consistent company culture of data security is much more achievable in a small, cohesive organization. Ultimately, cybersecurity requires the same assessment as any other corporate risk management program.
Why does Legal need to be involved in cybersecurity discussions?
Matthew Prewitt: Investigation, notification, compliance and litigation expense are often the most expensive of-of-pocket costs a company will face as a result of a data breach. Budgeting for cybersecurity with an approach that is proportionate to the company’s risk requires understanding the company’s legal obligations and potential liability in the event of a breach. The other part of intelligent budgeting is honest self-assessment of the company’s current state of readiness. Counsel will often recommend that such an assessment proceed under the protection of the attorney-client privilege. Counsel should also assist the company to document its cybersecurity practices so that, when a breach happens, the company is prepared to demonstrate that the breach occurred despite its careful compliance with its legal obligations. Of course, when a breach does happen, counsel needs to be involved from the earliest stage in what should be treated as a sensitive internal investigation.
If you have cyber insurance, aren’t you protected?
Matthew Prewitt: Most insurers now issue commercial general liability policies that expressly exclude cyber breach-related claims. Businesses that need cyber insurance must purchase either additional or separate coverage with a separate application and underwriting process. Cyber insurance policy language varies widely and does not yet benefit from the guidance of extensive litigation and judicial interpretation. Evaluating the scope of coverage offered by a policy must be approached with caution. A further risk for insureds is growing anecdotal reports of insurers denying claims based on incomplete or inaccurate information provided by the insured during the application process.
Shouldn’t an IT department have cybersecurity under control?
Matthew Prewitt: Even the most resourceful IT department cannot protect the company standing alone. Cybersecurity is as much an HR issue as an IT issue. Each department has a role to play by working collaboratively to understand and address risks. Even facilities management has a critical function in simply restricting unauthorized physical access to network servers. Effective cybersecurity requires someone coordinating these efforts across departments. If a company expects the CIO to fill that role, then the Board needs to recognize that this is a material expansion of the CIO’s traditional business function. The CIO role predates the cybersecurity crisis and reflects a very different business mission – increasing productivity, reducing cost and maximizing efficiency for the company’s IT systems. Protecting the company’s systems from cyberattacks that are designed to disrupt operations or destroy systems arguably falls within this traditional mission. However, many cybercriminals want data, not disruption. If the CIO is also to be the CSO, then her job description, performance metrics and compensation model should reflect the new, materially different role.
How can enhanced security grow revenue for the business?
Matthew Prewitt:Explaining why a company needs to enhance cybersecurity can be a depressing parade of horribles. However, there is at least one positive selling point. Most companies have customers who are concerned about cybersecurity, too. Being in a strong position to respond to client inquiries and to meet customer-imposed data security standards may give a business a competitive edge over rival firms who fail to make a similar investment.