编者按: 以下是Hyperproof赞助的博客文章.
在今天的环境下, regulatory enforcement and scrutiny around 公司’ security programs and other types of compliance programs (e.g. anti-money laundering; knowing your customers) has intensified. 最近的一项调查 / 1,000资讯科技保安, risk and compliance professionals found that 公司 are tightening governance over matters of cyber risk and focusing on more transparency and communication around compliance and risk throughout their organizations. This includes CISOs and legal teams, who have traditionally had long-standing communication silos.
With an increase in regulatory burden and more headline-making legal matters than ever, the relationship between CISOs and legal teams is changing — possibly for the better. CISOs are actively seeking out counsel to make critical decisions like adapting to new regulatory burdens, purchasing cybersecurity insurance and addressing liability in case of a breach.
In 2022, 一些首席信息安全官显然在引起头条新闻的法律问题上负有责任, 他们很担心. 2022年,几家公司因安全漏洞登上了头条, 失败和违反法规, 包括乔·沙利文/优步(我们将在下面详细讨论), 空气射流Rocketdyne, Drizly, 和FTX. In response, the way cybersecurity experts are communicating with the C-Suite is changing.
How the Joe Sullivan/Uber Case Changed the Relationship Between CISOs and Legal Teams
2022年10月,前优步安全主管乔·沙利文(Joe Sullivan)被解雇 被判有罪 of one count of obstructing the FTC's investigation of a breach of customer and driver records and failing to report this breach to government regulators. He was also 被判有罪 of one count of misprision, or acting to conceal a felony from authorities.
的三分之一(33%) Hyperproof的 survey respondents said that in the wake of the Joe Sullivan/Uber case verdict, their company has made changes to how the legal team works with their CISO to protect the company and its CISO. Companies are paying attention to these highly publicized news stories and are anxious about what they can do to avoid becoming one. Breaking down the long-standing silo between IT/security and legal teams is top-of-mind for many respondents.
Adapting to New Regulatory Burdens: How CISOs and Lawyers Can form a True Partnership
2023 is already a milestone year for increased regulatory burden for CISOs and their teams, 但法律团队正在介入提供援助. 例如,最近宣布的 国家网络安全战略 calls for one or more new laws to be drafted so that software vendors cannot avoid liability through a EULA, and 公司 are already preparing for future legislative action in this space.
They’re doing this by consulting their trusted counsel and asking about BAAs, SLAs and contracts that could impose liability on software vendors notwithstanding EULAs. Legal teams are provided insight on clauses that may allow 公司 to refer to documents outside of the “4-corners-rule” of the contract such as a new law once it is passed, or whether counsel may argue that a vendor used unfair bargaining power when getting their client to accept a EULA that allows the software vendor to avoid liability.
律师和首席信息安全官如何在网络保险领域合作
网络保险是一个由来已久的挑战. Purchasing cybersecurity insurance that actually covers what is needed has been a sore spot for CISOs over the last decade. The survey uncovered that counsel is stepping in to help executives parse insurance policies to make better-informed purchasing or renewal decisions. Here’s an example of when lawyers and CISOs would work together to make this decision:
Let’s say a company has purchased insurance to protect against a cyberattack like ransomware, but it hasn’t specified that this cyberattack could start via phishing due to a lack of effective email security controls. 虽然该公司可能认为这是一个单一的网络风险, 一些保险公司可能将这一事件视为一种金融风险. 因此, the cyber insurance purchased might not actually cover the ransomware attack as a result, or may require extensive and time-consuming discovery in an attempt to deny claims.
另一个例子是ciso没有D&保险啊. They are typically either directly named as a party or as an Officer of the company and are looking to retain private counsel to help secure D&保险啊. 保险, 这通常也能保护公司, 包括法律费用, 和解和其他费用. D&保险啊 is the financial backing for a standard indemnification provision, 哪些规定使高管不会因其在公司中的角色而蒙受损失. Many officers and directors are working closely together to provide both indemnification and D&保险啊.
Directors and officers may be sued for a variety of reasons related to their company roles, 包括:
- 违反信义义务导致经济损失或破产
- 歪曲公司资产
- 滥用公司资金
- 欺诈
- 不遵守工作场所的法律
- 窃取知识产权,挖走竞争对手的客户
- 缺乏公司治理
Examples like these are why CISOs and legal teams are working more closely together than ever (and becoming more aware of new threat actor behavior and its increasing creativity). CISOs and legal teams are now partnering to communicate risk to insurers in specifics by articulating that they want coverage for the loss of key business data via a cyber attack and the precise detective or compensating controls that they currently have in place.
总结
最终, this increase in regulatory burden might bring CISOs and legal teams closer together, 哪种方法只能帮助公司保持安全. 通过消除沟通孤岛, 公司 are also increasing the flow of data between teams to truly understand their compliance postures.
作者简介: Kayne McGladrey, CISSP is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, 重点关注政策, social, 以及网络安全对个人的经济影响, 公司, 这个国家.
