Adrian Mebane, VP & Deputy General Counsel, The Hershey Company
When I was asked to write this article, the Yahoo data breach had recently hit the airwaves. Reports indicate that much remains to be determined as investors and investigators weigh the extent of the breach and who at Yahoo knew what and when. As we know, Yahoo wasn’t the first company to be attacked nor will it be the last. One thing that is certain is that cybersecurity risk has decidedly moved to the forefront for companies and has spurred increased prioritization of risk mitigation and remediation efforts and processes. Companies, in their ever evolving needs to offer greater enterprise connectivity and to increase transparency sought by their customers and consumers (e.g., use of social media) only add to the complexity. So where cybersecurity risk may have once been primarily owned by an organization’s Information Security (IS) Department or equivalent, it is now a shared responsibility, as legal risk centers of excellence and ethics and compliance departments seek to align the analysis of identifying, managing, and mitigating cyber risks on an enterprise level.
The current regulatory enforcement landscape related to cybersecurity matters effectively mandates a strong, multi-functional and balanced response, one that addresses a company’s overall cyber risk while simultaneously supporting its commercial opportunities. Over the last few years, the U.S. Securities and Exchange Commission (the Commission) has declared it will rigorously assess a company’s prophylactic measures in evaluating cybersecurity risks in response to the numerous cyber breaches and threats. In addition to Yahoo mentioned above, other recent hacks like Target, Wyndham, and Home Depot highlight opportunities for security remediation and emphasize liability for individuals. In some of these instances, management and the board of directors are alleged to have failed to adhere to their fiduciary duties by knowingly failing to ensure the appropriate protections for customer personal and financial data were in place. Undoubtedly, these matters resulted in significant business disruptions, reputational harm, but also another area for regulatory enforcement. In addition to the Commission, other key agencies like the U.S. Commodity Futures Trading Commission (CFTC) and the Financial Industry Regulatory Authority (FINRA), have issued guidance designed to evaluate a company’s governance, management, risk assessment, controls, incident response and loss prevention, third party management and training programs.
With this regulatory roadmap, an organization should have the ability to design effective and scalable risk mitigation and management processes and systems to address cyber threats. Now, because I’m a lawyer, I’ll leave the technical framework discussion to the IS professionals, but I can discuss the importance of leveraging partnerships that include key stakeholders, like IS, business representatives, and ethics and compliance and risk management professionals.
An organization should have the ability to design effective and scalable risk mitigation and management processes and systems to address cyber threats
These partnerships aid in facilitating a holistic understanding of the risk in the context of company strategy, incident response capability and resources, as well as lending to an overall risk-appropriate compliance and cyber response framework. Companies can then effectively utilize existing compliance tools to address cyber risk and drive a relevant mitigation approach, such as:
• Policy Development: Embedding guidance on how to protect the company’s systems and data into a code of conduct, or similar policy, reinforces that employees “own” the responsibility to protect their systems from risk. Speaking to this requirement through a principle-based approach helps employees realize they can mitigate risk and support response efforts as part of their day-to-day responsibilities.
• Risk Assessments or Audits: Risks aren’t static and companies must remain open to considering opportunities where improvements can (and should) be made to existing controls and processes that address overall risk and regulatory compliance. While a typical or more traditional risk assessment scope may focus primarily on the controls that govern compliance with financial processes, it has become even more important for companies to develop an evaluation plan and gap assessment that includes a lens towards cyber risk and threat, and incorporates an enterprise’s ability to respond to these hazards.
• Third Party Due Diligence and Monitoring: Companies will always rely upon third parties across the globe to provide services and products to their consumers and clients. And, they may be responsible for any missteps or misconduct by these business partners while performing services on their behalf. Therefore, it is important to underscore the need to understand all aspects of how one’s partners conduct their business and this can be accomplished through a risk-appropriate due diligence and monitoring program. Employing such a program (i) affords an organization the opportunity to understand the risk associated with conducting business with the third party and (ii) allows a company to make educated engagement decisions and determine how the relationship, including associated risk, with that business partner should be managed going forward. It is imperative that a business partner fully appreciates the importance and sensitivity of the data it manages for a company. It’s also incumbent upon the company to know what tools these partners are using to prevent cyber security— as well as other—threats, while protecting their organization’s data in the most optimal and cost conscious manner.
• Training: Various functions throughout an organization—whether it’s HR, legal, or quality assurance—regularly develop and deploy training for its employees. Cyber threat and prevention is also an area that requires focus and incorporation into a training regimen, especially given the potential impact it could have on a company’s operations. Understanding what data is sensitive and how to protect it, is important information for employees to know—especially in industries where consumer and personally identifiable information is frequently received and transferred during the course of conducting business. Providing a relevant training program that focuses on identifying and preventing cyber and infrastructure risk will arm employees with the capabilities to raise questions and concerns to the relevant individuals equipped to respond to such a risk. And, leaning on other key compliance training initiatives helps message that addressing cyber security risk is a priority for the company.
In this era of big data and the internet of things, threats of cyber breaches is the new normal, but addressing cyber security risk solely within one’s IS group is not. That risk requires the engagement from all employees, leaders, and business partners of an organization. Additionally, a company must continue to develop and leverage existing cross-functional relationships and resources to drive compliance and risk awareness. Regardless of position or responsibility, all employees and stakeholders have a common goal to protect company data to enable continued brand expansion and commercial success. Anything less is (potentially) criminal.