Coaching Clients Through Cybersecurity Governance
An old adage says that everything you need to know in life you learned in kindergarten. Similarly, as a cybersecurity lawyer who also coaches his son’s little league team, I think that the fundamental lessons needed to implement the SEC’s new public company cybersecurity disclosure rules are lessons you learn in little league. So, with this request to introduce myself to BakerHostetler, while discussing a recent interesting development in my practice, I thought of the similarities between my yearly experience coaching my son’s little league team and the recent “tempest” unleashed by the SEC regarding public company cybersecurity disclosures.
With the rapid expansion of cybersecurity regulatory requirements, the corporate board room is about to face its largest forced evolution since the Sarbanes-Oxley Act (SOX) in 2002. Like SOX, the documented and reasonable steps taken by boards of directors before a security incident occurs will form a key defense against director liability claims, government investigations, regulatory enforcement, and plaintiff/shareholder and third-party litigation. I coach my clients through these developments the same way I coach my players in little league – by emphasizing teamwork, process, and consequences.
Teamwork
In any Hollywood movie about ragtag sports teams, the emphasis is on teamwork. In little league, a significant part of early practices is learning how to cheer on your teammates. Every kid has the opportunity (and responsibility) to bat, and ultimately your team is only as good as your weakest player. Similarly, cyber governance is now a team game. As Harvard Business Review noted, “[t]o provide proper oversight and comply with the regulatory environment, board members are going to have to up their cybersecurity game. It’s no longer adequate to just hear about the protections put in place.” The entire management team and board now have a chance at bat and will need to understand and encourage the cyber corporate strategy, cyber risk profile, and cyber mitigation steps that their organization is undertaking. To underscore the point, the New York State Department of Financial Services recently enacted a rule that requires boards to “exercise oversight of the covered entity’s cybersecurity risk management, including by having sufficient understanding of cybersecurity-related matters to exercise such oversight.” The successful organization (read: regulatory-compliant organization) will treat cybersecurity risk management as the ultimate team game.
Process
In little league, I emphasize with the kids that they control the process, not the outcome. When faced with the slumped shoulders of a kid who repeatedly swings and misses, I remind them to focus on the process – a clean, simple, and repeatable swing – not the outcome. In much the same way, advising senior management and boards requires a constant reiteration to focus on the process implemented before a cyber incident. To quote the SEC’s Interpretive Guidance, “we have also substituted the term ‘processes’ because the term ‘processes’ more fully [en]compasses registrants’ cybersecurity practices.” In short, this regulator is concerned about the actions prior to an incident rather than whether a security incident occurred. As noted in a post on the FTC’s business blog, “data security begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration.”
Consequences
One of the greatest “joys” of coaching young kids is the inevitable moment a young player realizes that baseball bats are dual-use instruments – equally effective for swinging at baseballs and swinging at each other as light sabers. Every year, I take a knee and explain to a young Luke Skywalker the serious and potentially long-term consequences of hitting a teammate with a metal baseball bat. The FTC similarly recently reminded management teams about the consequences of thoughtlessly swinging their way through cybersecurity. Just this past January, the FTC finalized an enforcement action against Drizly, the alcohol delivery company, and Drizly’s CEO. Most concerning (for management teams anyway) is that the consent order will follow the CEO to any new organization for the next 10 years. Now, as this shows, the consequences of decisions made in the context of cybersecurity enterprise risk management are far-reaching and long-lasting for all members of the management team.
Many management teams remain in the early innings of the journey to meet the shifting kaleidoscope of regulatory requirements. For a firm, this presents a unique opportunity to deepen relationships with existing clients because cybersecurity regulatory risk cuts across industries, corporation size, and types of organizations and also creates regular, routine, and repeated client interaction points. I’m impressed by the collective talents, ability and practical-minded solutions surrounding me in the Digital Assets & Data Management Practice Group, and I look forward to cross-group collaboration to drive effective solutions for our clients.
As a native New Yorker (go Yankees!), when I am not corralling little leaguers, I’m fixated on urban policy as a big booster of the city – contributing to the Partnership for New York as a Rockefeller Fellow and recently concluding my service on the Landmarks & Preservation Committee for Community Board 1 in Lower Manhattan. In addition, I have a deep interest in education and educational policy and serve as a trustee and the board secretary of the Hackley School. Finally, for those who have made it this far, I’m also happy to share the places to find the best Ghanaian jollof here in the city.
[View source.]
