Attorney Authored
Cybersecurity: The Intersection of Threat and Innovation
November 09, 2017
Robert Silvers
Partner, White Collar Investigations and Privacy & Cybersecurity Practices
Sherrese Smith
Partner, TMET and Privacy & Cybersecurity Practices
The growing profile and cost of cyberattacks have put this issue at the top of the corporate agenda, and highlight the potential threat to the data-fueled architecture of today’s global business environment. The dynamic nature of cybersecurity threats, their pervasiveness, and the frequency of attacks can provoke feelings of helplessness. Nothing could be further from the truth and a leadership mindset that there is nothing to be done is the biggest danger of all.
Tackling cyber risk involves both assessment and action. It is essential to prioritize a company’s risks. The starting point is identifying the worst-case scenarios and highest risks—the operational disruption or compromise of sensitive data that would be most painful for the company—and make that the prime focus for risk management and remediation.
Next, companies must ensure their decision-making structure is appropriate to deal with this challenge. Companies with high data risk could have a board director with deep data security expertise. Other companies may favor creating subcommittees of the board, for example reporting to the audit or risk committees, or consider establishing a dedicated data security committee reporting to the C-suite. There is no one perfect structure—what’s essential is that risks are identified, ranked, mediated, and monitored regularly, and that lines of accountability within the company are clear so that these vital efforts are undertaken effectively.
In addition, greater cooperation within industry sectors is advisable in order to identify risks and suggest solutions. Self-regulation by industry groups is always advisable as regulators may not be as in tune to the business challenges and needs as the businesses themselves.
Beyond the U.S., we are seeing distinctive approaches to cyber issues in both Asia and Europe. China’s new cybersecurity law has requirements that are deeply troubling to western companies. Its data localization rules mandate local storage of personal information and other data generated in China, as well as restrictions on cross-border data transfers—developments that will disrupt the global cloud model western companies have been racing toward. It is a game changer in a very significant market.
Meanwhile, Europe has become “the” data privacy story even for U.S. companies. The European Union’s General Data Protection Regulation (GDPR) contains unprecedented restrictions on how companies may collect, use, monetize, and share data. Many U.S. companies initially thought they would not be affected by GDPR because they did not have European offices. However, any company processing personal data of EU citizens falls under GDPR and must be compliant by May 2018. The EU is quite clear: companies must do this—regardless of the financial or time cost. It is central to the EU’s belief that citizens deserve to know how their data is being used and handled, and that their data can only be collected by companies deploying the highest standards and security measures. Nearly half of organizations will migrate their data to a new location because of measures such as the EU General Data Protection Regulation, according to a recent McAfee survey.
All companies must analyze whether they have EU citizen data, as well as its scope and use. By initiating GDPR, compliance levels internationally will converge up to the EU level, which in some ways is much higher than the U.S. level. We will see continued evolution in EU privacy and security regulations.
Finally, when it comes to cybersecurity, not enough attention is being paid to the Internet of Things (IoT). The phenomenon of ever more devices connected to the internet is exploding, from the granular and personal, such as cars and pacemakers, to existentially important components of national infrastructure. With predictions of 20-50 billion internet-connected devices online within the next five years, there are massive cybersecurity and privacy risks, and regulators worldwide are taking note. Companies need to be attuned from the outset to the security component of their IoT strategy, to ensure it is both compliant and sustainable. There are recognized security best practices for IoT but not every company is adopting them. Now is the time to consider how to handle reputational and liability consequences down the road. It is much harder to “bolt on” security after products are brought to market than to face the challenges at the outset. Courts and regulators will not be forgiving of companies that fail to heed that approach.