When it Comes to Cybersecurity, Reduce Regulatory, Legal Risks

According to a Bloomberg BNA article, companies need to be thinking about cybersecurity in terms of reducing regulatory and legal risks, not what they typically tend to focus on – investment returns.

The information comes from what panelists said at a recent Stanford Law School conference. Joseph V. DeMarco, partner at New York’s DeVore & DeMarco LLP, agrees.

“Although managers may understand that their company might be hacked or be sued by regulators, the issue on which they focus is the return on investment and how much money they can save by implementing standards,” said DeMarco in the article.

“A good accountant can provide precise information about accounts receivable and fraud. But cyber is different as we all know because the information is moving around, data is coming into the organization at the speed of light, devices are coming on and off the network every day,” DeMarco continued in the article. “Bad guys are hiding behind layers and layers of anonymity.”

DeMarco explains that focusing just on return on investment and how a risk can be reduced by a certain percentage, fails to realize that adhering to standards reduces business, legal and reputational risks.

DeMarco was a prosecutor for 10 years, and in that time, he said he “picked through the wreckage of every data breach imaginable.”

“Recurring themes do present themselves,” Demarco said. “And if you follow any one of the models, you are going to reduce risk. And finally, when the regulators come knocking or the plaintiff’s attorneys come calling, you will be able to answer them with satisfactory answers that are going to dramatically improve a good outcome,” said DeMarco in the article.

According to the article, the National Institute of Standards and Technology (NIST) - which helps craft the way security practices are presented to the C-suite along with the Federal Trade Commission – released a final voluntary cybersecurity framework of best practices (available here) for the protection of critical infrastructure, under an executive order from President Barack Obama.

“The framework is written in language that is understandable and approachable to those who don’t normally deal with cybersecurity, such as corporate directors,” the article stated.

Though the framework was released back in February, DeMarco’s recent thoughts on the guidelines are worth noting: DeMarco told Bloomberg BNA he expects the NIST guidelines will become a de facto standard of care, and businesses should consider the NIST standards when they think about security and privacy.


For the original article, click here: http://www.bna.com/companies-think-cybersecurity-n17179891642/