With all the talk about cybersecurity in boardrooms and in the media, it’s easy to forget that many companies have only recently become truly aware of the nature and scope of their cybersecurity challenges. And as government regulators and industry organizations work to create standards that will help companies understand how to shield themselves from cyberthreats and respond to attacks when they do happen, leaders at those businesses are watching carefully.
A new report from Mayer Brown, “Perspectives on Cybersecurity and Its Legal Implications,” takes the pulse of executives and in-house counsel on the state of cybersecurity. The data in the report, which was collected between November 2014 and February 2015 from companies in 15 industry sectors—many from financial and professional services—shows that there’s a limit to what businesses believe will be accomplished in the next few years with regard to standardization. “These numbers really reflect business expectations about what’s realistically achievable in Washington,” Archis Parasharami, a litigation partner at Mayer Brown, told CorpCounsel.com.
In one area, data breach notification, the vast majority of respondents—84 percent—said that they believe clear national standards will emerge over the next five years. This would be a welcome change, as companies currently have to deal with a patchwork of different state data breach notification laws when an attack threatens customer data. The only other category in which most respondents said national standardization might be in the works was in security of personally identifiable information. Some 54 percent said that true national standards could emerge in how PID is protected.
In other areas though, corporate counsel and executives did not feel confident that the federal government can deliver on creating standards. For instance, only 30 percent felt that the government would develop and standardize liability protection for information sharing within the next five years. Indeed, the issue of to what degree a company should be able to waive liability when it reports an incursion into its networks has been a major point of contention in legislators’ attempts to pass federal cybersecurity legislation.
Perhaps it’s the issue of liability that has discouraged companies from working more closely with the government on breach issues. When asked if they have built a close working relationship with a government entity on cybersecurity, 41 percent answered “no” and 24 percent did not know the answer. For those that did have these types of relationships, they were mostly with industry-specific regulators, such as the Federal Trade Commission or the Federal Communications Commission. To a slightly lesser degree, they reported developing ties with law enforcement agencies such as the FBI or the U.S. Secret Service.
The insights from the Mayer Brown report also went beyond the issues of standards and relationships. Respondents were asked what their overall outlook was on cybersecurity issues. Some 36 percent described their outlook as “neutral,” because “cyber-related issues are a cost of doing business.” Parasharami explained that this neutral view likely means that the drumbeat of major breaches have gotten the digital security issue into the heads of executives and in-house lawyers, and it’s become a fact of life. “Cybersecurity is no longer something esoteric—it’s front and center for everyone,” he said.
Another 29 percent said that they felt “negative” about cybersecurity issues, and feared that the bad guys would always be one step ahead. A lucky 27 percent actually felt “optimistic” about cybersecurity, believing that they are catching up to or getting ahead of the problem.
The widening normalization of cyberattacks as a fact of life for businesses is reflected throughout the report. Some 33 percent of respondents said they had both a chief privacy officer and a chief information officer (or the equivalents) who are accountable for developing, implementing and maintaining an organizationwide governance and privacy/cybersecurity program. Assigning high-level personnel to the issue shows that the companies in the survey are taking it seriously.
Many also are interested in insuring themselves against breaches. “I think a lot of businesses are asking questions about cyberinsurance,” said Parasharami. ”A lot needs to be known and the products continue to develop.” Some 27 percent of respondents said they have a separate cyberpolicy for liability, and 7 percent had one for breach remediation costs. Plenty of others—14 percent—were considering getting coverage within the next 12 months, and an additional 14 percent said they might get a separate cyberpolicy down the road.
Reprinted with permission from the April 13, 2015 edition of Corporate Counsel © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.