Just look around. That’s all it takes to notice that today’s technological landscape is wildly different from what it used to be. With an abundance of new devices comes an increased risk that they will be targeted. And, with a staggering amount of personal data stored, processed, and handled every day, it’s no surprise to see legislation developing around the topic.
Keeping up with changing rules, regulations, and laws around cybersecurity is a full-time job. And, that’s not a figure-of-speech. Just within the past few months, we’ve had major events occur in the cybersecurity landscape:
- Facebook CEO, Mark Zuckerburg’s testimony to Congress
- GDPR going into full effect
- The passing of the California Consumer Act of 2018
The cybersecurity field is evolving—quickly. The idea behind laws and regulations around information security is to inform consumers, so they can make better decisions around their privacy.
Boards should not only be concerned with consumers’ understanding of the legal processes around cybersecurity, but also with the company’s understanding of those legal processes. In short, boards should be asking:
How is the company maintaining a current understanding of cybersecurity laws and regulations?
These laws and regulations set the tone for the company’s entire culture around information security, so they can’t be an afterthought. Each organization should have a general counsel or CLO in place to stay abreast of the newest laws and regulations around cybersecurity and to effectively communicate the ramifications of those laws and regulations to the company’s board and leadership team. Beyond that, each organization should also periodically work with external counsel to ensure that no “blind spots” were overlooked by the general counsel or the organization.
It’s not only important for general and external counsel to stay abreast of laws and regulations, they must also work closely with the cybersecurity team to ensure they maintain a thorough understanding of the laws and regulations and effectively implement controls to address them. Legal counsel should also examine each of the company’s contracts with vendors, as these contractual obligations can introduce cybersecurity requirements, such as compliance with requirements from PCI or HIPAA.
The common thread here is reduction of risk. Noncompliance with laws, regulations, or contractual obligations adds significant risk to your organization. Maintaining awareness around these topics decreases the risk of harm to reputation, loss of sensitive data, failure to meet contractual obligations, and much more.
It’s hard to overlook these topics (all you need do is turn on the news), but it’s also hard to manage them effectively. LBMC Information Security can help identify the laws, regulations, and contractual obligations your company must meet and help you put controls in place to address them effectively. Contact us today to learn more.
This blog is the seventh in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.