At the end of January, partners Daniel Ilan and Alexis Collins participated in a panel co-hosted by The Conference Board and Cleary Gottlieb to discuss cybersecurity and board oversight.
Moderator Doug Chia, executive director of The Conference Board, Nick Mankovich, Vice President and Chief Information Security Officer (“CISO”) at medical technology firm Becton Dickinson, Daniel, and Alexis discussed current cybersecurity risks, how cyber-attacks are changing, and the role that management and the board should play in ensuring that companies are prepared.
In addition to headline-grabbing breaches involving unauthorized access to and use of customer data, the panel addressed other existential threats to companies such as data breaches involving the theft of trade secrets and ransomware attacks which can render data or entire systems inaccessible (as opposed to stealing data). The panel also discussed cybersecurity issues arising in M&A deals and vendor relationships, a topic that is becoming increasingly significant for board and management, and the necessary diligence and contractual protections that should be considered.
The panel also touched on the special risks that privacy laws pose in a cybersecurity context, particularly in light of the GDPR. The panel noted that the enforcement implications of the law are potentially severe since violations could result in fines tied to the entire global entity’s annual turnover.
In discussing recent trends in data breach litigation, the panel described the continued increase in civil litigation and enforcement proceedings throughout 2018, some of which led to record settlements. They explored the active role being played by state Attorney Generals, the increasing difficulty companies face in obtaining early dismissal of civil lawsuits, and the rise in inconsistent results across jurisdictions.
Finally, the panel discussed the need for the board to be conversant in cybersecurity issues. The panel’s suggestions included maintaining an ongoing dialogue between the board and relevant stakeholders at the company – such as IT, legal, and public relations – to both prepare for and respond to cyber incidents. Given the ever-changing cybersecurity and threat landscape, the panel emphasized the need to have a program that is constantly maturing, while monitoring and reducing risk in a demonstrable way.
The panel complements two recent writings by Cleary Gottlieb: 2018 Cybersecurity and Data Privacy Developments: A Year in Review and The Evolving State of Cybersecurity. In addition, a replay of the webcast is available here (please note that your browser may require you to run an Adobe plugin to access this content).
For a complete list of recent webcast collaborations between Cleary Gottlieb and the Conference Board, click here.