Privacy, Data Security, and Your Board – Day Three
Posted on February 28, 2018
In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage as well. Knowing what those gaps are is important. And just as it is important to have a broker with cyber experience, it is also important to seek assistance from cyber counsel during the application process to avoid overstatements or misstatements and to ensure the company is purchasing the appropriate cyber policy based on the company’s cyber risk levels. In addition to cyber insurance coverage, another third party issue that often comes up in the privacy and data security space is vendor management. Board oversight of vendor management has become the new normal. What should boards expect? What are practical aspects of effective vendor management? Limiting vendor access to critical network segments, setting cybersecurity policies and standards for your vendors, ensuring your vendor contracts comprehensively address privacy and data security risks, incidents, liability, and insurance are all things boards should be increasingly focused on. For our prior post on this topic, click here for day one and here for day two.
PUTTING IT INTO PRACTICE: Companies should expect to hear from their boards about cyber insurance coverage and vendor management. Are you ready to answer their questions?
Privacy, Data Security, and Your Board – Day Two
Posted on February 27, 2018
In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board members best address this? Boards will need to understand what their organizations are doing to address and respond to privacy and data security risks, threats, and incidents. They will need to be regularly informed of such efforts, and should monitor compliance. Simply assuming the Company’s IT/IS department has it handled will no longer suffice. For our prior post on this topic, click here.
PUTTING IT INTO PRACTICE: Companies should take steps to make sure that their boards are appropriately informed of the privacy and data security efforts of the company, as well as risks and threats facing the organization. This education can be accomplished in several ways. A few examples include holding privacy or data security- specific roundtables for your Board or taking time regularly during Board meetings to present specifically on the subjects of privacy and data security.
SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance
Posted on February 27, 2018
On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
                    Eye on Privacy 2018 Year in Review 48