Make no mistake, the compliance challenges arising from data breaches and other cyber incidents are not limited to industries that, like retail and financial, garner the most conspicuous publicity for events that so directly affect the public.
Not that those sectors aren’t obvious targets for cyber mayhem by global bad actors and homegrown miscreants. If anything, additional pressure still needs to be exerted on those industries that remain slow to pursue the kind of prophylactic measures that underscore all sound compliance cultures. But far too few companies of any sort are investing in comprehensive compliance, training and monitoring programs to protect against cyberthreats.
A key factor causing corporate inertia around this enterprise-wide risk is the question of responsibility. Who is accountable? Is it information security, IT, corporate security, legal, compliance or some other corporate department? Many corporations are behind the curve when answering this question, and without an “owner” to lead the charge, it seems companies are paralyzed into doing nothing.
The global scope of the cyber security problem, and the dizzying array of issues involved—HIPAA, Gramm-Leach-Bliley requirements, state regulations, cross-border legal issues—represent liabilities and raise questions far beyond whether firewalls are permeable. This point was underscored in May 2014 when the Department of Justice accused Chinese military officials of hacking major U.S. corporations, including my company, U.S. Steel, in a scheme to steal IP and trade secrets. It was the first time the U.S. had charged a state actor in a cyber-espionage case.
As a matter of national security as well as self-preservation, companies must expand cyber oversight to include the legal and compliance functions. Why? Because there are ever-changing rules and regulations impacting this space that require legal and compliance’s input. It is not about one corporate function usurping the authority of another corporate function; it’s about educating technology managers so they have an understanding of the changing regulatory landscape to advise on whether systems are in place to ensure company compliance with all regulatory requirements and to best protect the company from incoming cyberattacks. This also means that legal and compliance professionals must take it upon themselves to become proficient in technical cybersecurity issues in order to advise their internal clients.
Given such burdens, the legal and compliance functions must spearhead enterprise-wide training programs in order to educate employees of their individual roles in helping to protect the corporation from cyberthreats. At the same time, the legal and compliance teams must review their respective due diligence processes when evaluating the corporation’s current and potential business partners. Along with internal compliance training on cyberthreats, the data breach response plan must feature compliance officers and in-house lawyers as well as architects, key implementers and partners. What is needed now is an organic functional plan and process based on the company’s specific operational realities and subject to daily modification by the cross-functional cybersecurity team. The plan must require real-time tabletop exercises to both test its efficacy and rehearse all relevant personnel in its critical provisions, including public notifications and crisis communications strategies.
We should all know what is at stake. As experience demonstrates, cyberthreats pose a risk as great as any other to even the mightiest companies and industries. Whether it is the health of our manufacturing, financial, retail or other industries, it is important to keep in mind that with cybersecurity, we are fighting a war, a very long-term war of survival. In that war, legal and compliance professionals represent key subject-matter experts who, working in union with their colleagues, can present a unified and indispensable front against current and future cyberthreats.