There's no denying that companies need to make forward strides in terms of cyber preparedness. But when it comes to gaining cyber momentum, there is one group in every business that needs to be convinced: the leadership. If you're committed to moving your business forward in terms of cybersecurity, getting the approval of C-Suite members is the first key step. And if you are at an executive level, then it becomes your task to convince your peers of the importance of cybersecurity progress.
Therefore, when it comes to where enterprises stand in terms of cybersecurity, it's imperative to look to the boardroom, and the kinds of conversations that are taking place there.This brings us to the company boardroom. If there's a business-critical decision that needs to be made, the boardroom is the place that it happens. It's the spot where organizational leaders convene to make decisions that will impact the future of their enterprise.
A recent industry survey did exactly that, reaching out to C-Suite personnel to ascertain where they stand in terms of data breach liability. The results, which are somewhat contradictory, point to the complexities that arise when it comes to the question of responsibility for something as damaging to business as a cybercriminal incident that compromises customer data and can cause harm to the bottom line for years to come.
When a business breach happens, who is accountable?
While this may sound like a straightforward query with a straightforward answer, it isn't. The question of responsibility for a breach is something that's debated in all circles – from individuals to organizations and from the mainstream media to legislators. In the wake of a major cybercrime incident, one of the first impulses is to point the finger, but it can be unclear where that finger should be pointed. If a company breach resulted from a vulnerability in its third-party network security software, for instance, should the business be held accountable for not having backup defenses, or should the third-party software provider take the hit?
Not surprisingly, the issue of accountability for breaches is also a concern that occupies the boardroom. But as the recent study – which reflects a poll of 276 senior executives or board directors – illustrated, boardroom members have some seemingly contradictory feelings when it comes to the question of responsibility. The central contradiction in the survey is highlighted by the juxtaposition between two findings:
- Nine out of 10 respondents said they believe that in the event of a business breach, "third-party software providers should be held liable when vulnerabilities are found in their packaged software."
- Nine out of 10 respondents stated that organizations need to be held accountable by regulators for a breach if the business had not taken reasonable and appropriate protective measures.
On the surface, this may seem like a direct contradiction: The vast majority of boardroom members want third parties held accountable, and the vast majority want organizational accountability. How does that compute?
However, what these two findings point to is what boardroom members see as a division of responsibility that changes breach liability depending on the particular circumstances. In the event that a particular cybersecurity software package does not do its job – thereby letting a vulnerability in – boardroom officials believes the software provider should be the one to answer. In contrast, if an organization doesn't do its job – by ignoring the reasonable protective measures it should have had in place beforehand – then that business needs to be held liable if a breach happens.
"90% say organizations should be held accountable by regulators for a breach."
But a side-by-side look at these two survey findings still begs the question: What if a business breach happens due to vulnerabilities in third party software and the business is later assessed to not have taken reasonable protective measures? Who is responsible then?
Unfortunately for leaders in the boardroom, the answer is always bound to be the company. And even in situations where software vulnerabilities lead to an enterprise attack, organizational leaders will still have to deal with inevitable repercussions.
For this reason, it is imperative that businesses make it a priority to not only guard the company network against cyberthreats, but also to prepare the network for how to respond in the event of an incident. Because even if companies aren't necessarily liable for every attack type, they will always be liable for their own response.
And as we've seen with many major breaches – whether it's Target, Sony, Anthem, J.P. Morgan or any other major brand that's been hacked in the past few years – failing to have a robust breach response plan will end up being just as big of a negative headline as the incident itself. So if there are boardrooms out there that aren't discussing breach response, that's a conversation that needs to happen now.
Specifically, organizations need to focus on the measures they should have in place to ensure that a breach response is adequate, including:
- A well-informed staff trained in cybersecurity basics.
- A carefully laid-out plan that details the distribution of responsibility in terms of coping with breach fallout.
- Consistent conversations in the boardroom to ensure that company remains up-to-date across the board in breach recovery matters.
Arctic Wolf Networks provides SOC as a service that makes every link in the security chain stronger. The turnkey service is anchored by security engineers bringing the peace of mind that comes with vigilant cybersecurity.
Cybersecurity news and analysis brought to you by Arctic Wolf, leading provider of managed SIEM services. Managed SIEM, when your firewall fails.