• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

The Increasing Importance of a Strong Partnership Between the CISO and Legal & Compliance

Sachin Bansal
09/26/2019

Many organizations recognize that SecurityScorecard is a highly effective weapon in the cybersecurity toolkit for a Chief Information Security Officer (CISO), but the link to the legal and compliance departments is often less well understood. With the proliferation of state, federal, and international regulations involving cybersecurity and data privacy, SecurityScorecard also enables companies to align their policies and procedures to maintain a robust cybersecurity compliance stance. In addition, the cybersecurity-related risks of civil litigation, regulatory investigations, and congressional inquiries have expanded dramatically.

How cybersecurity creates legal risk

Cybersecurity is no longer simply an IT department’s problem and, in fact, cannot be the responsibility of any single department. Regulators have repeatedly stressed the importance of an enterprise-wide approach to creating an effective cybersecurity program as a matter of corporate governance. As such, a corporation’s senior management needs to provide oversight and support the program with sufficient resources and funding.

Such programs need coordination and communication across multiple internal departments. When establishing a cybersecurity program, organizations must include relevant legal and compliance professionals as early as possible in the risk assessment process. This team-based model allows the various stakeholders to holistically leverage their expertise, which will make the cybersecurity program that much more robust.

Moreover, disparate stakeholders often view cybersecurity risks through very different lenses and speak about those risks in different ways. Without a programmatic and governance-based approach that includes a wide variety of internal stakeholders, a cybersecurity program may end up with significant gaps in understanding risks and/or lack the appropriate measures to mitigate them, which increases the severity of cyber-related harm that an organization may suffer.

What value do legal and compliance professionals add to a cybersecurity program?

As companies expand their cyber-related preparations, legal and compliance professionals can add value in many different ways.

A company’s in-house and/or outside counsel’s responsibilities should include a variety of legal and compliance actions to ensure the program’s robustness. For example, legal counsel’s responsibilities may include, but are not limited to:

  • reviewing public disclosures (e.g., SEC filings) regarding prior incidents and material risks
  • pressure testing the design (i.e., review the incident response plan),
  • engaging in the implementation of a company’s cyber program and key controls,
  • assisting with employee training and tabletop exercises (to practice the incident response plan),
  • determining the extent of the company’s cybersecurity insurance (if any),
  • developing contacts in law enforcement,
  • coordinating with internal government relations regarding proposed legislation,
  • considering an informal policy on cyber ransom payments

Meanwhile, contract attorneys for a corporation can also negotiate key data privacy and security provisions in vendor contracts regarding the access, use, storage, and sharing of data. In fact, a number of companies are requiring their vendors to maintain a minimum acceptable security score during the term of the contract based on a company’s use of SecurityScorecard’s vendor risk monitoring. A company’s contracts may also create obligations to notify customers of a cybersecurity event or to maintain certain cybersecurity measures.

In addition, effective cybersecurity and privacy lawyers can help craft a narrative of how a corporation establishes a defensible cyber program in response to civil lawsuits, such as those that will be permitted under the forthcoming California Consumer Privacy Act (“CCPA”) which will become effective on January 1, 2020. The CCPA imposes a duty on companies to “implement and maintain reasonable security procedures and practices.” While the new law does not provide detail or guidance for how courts should unpack what is “reasonable,” organizations should assume that, at a minimum, continuous monitoring over their key security controls will be required. SecurityScorecard will be helpful to show that the company took a cyber-focused approach toward the due diligence of both itself and its vendors.

How can an effective cybersecurity and data privacy lawyer enable a robust cyber program?

Unfortunately, the days of “dabbling” in cybersecurity and data privacy are over. Given the increasing risks involving cybersecurity and data privacy, companies simply cannot afford to have in-house counsel working on these issues off the side of their desks.

Even the American Bar Association (ABA) has begun to recognize cybersecurity’s importance. Although released in 2017, the Vendor Contracting Project: Cybersecurity Checklist remains a fundamental cybersecurity resource on the ABA’s website. On the list of required actions, the ABA notes the importance of:

  • Risk Assessments
  • Vendor Due Diligence
  • Contract Provisions

Embedded within these three key segments are a variety of suggestions including security program management and business continuity/resilience programs.

Corporate counsel needs to be able to identify risks and understand mitigation strategies both as part of the company’s cybersecurity program and its vendor risk management program.

The daily changes in both technology and the law require that attorneys are specializing in these areas so they can provide meaningful assistance and practical solutions. Ideally, at least one in-house counsel should be exclusively focused on cybersecurity and data privacy and closely partnering with their CISO.

When should companies engage outside counsel with cybersecurity expertise?

Again, it is very dangerous for companies to wait until a material breach has occurred to involve external counsel.

Any major corporation should already have retained cybersecurity counsel to advise them globally. Increasingly the extraterritorial nature of data security and privacy laws focuses less on an organization’s geographic location but on the data owner’s location. Reviewing the General Data Protection Regulation (GDPR), CCPA, and New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act shows a trend toward holding companies responsible for data security and privacy based on the data owner’s residence, not the organization’s place of incorporation or offices.

Among other things, counsel can advise on cross-border data concerns to address compliance with data being shared or transferred outside of the United States. Some concerns that a cybersecurity-focused outside counsel can help with include, but are not limited to:

  • What data privacy laws are impacted?
  • What is the definition of a data breach?
  • Can the company lawfully send and receive data to a particular foreign country?
  • What is the company’s responsibility to data owners?
  • What are the cybersecurity requirements for collecting, processing, or transmitting data?
  • What are the potential private causes of action that can be taken against the organization in the event of a data breach?

Outside counsel can answer these and many other questions to better advise in-house counsel and the CISO.

While too many outside counsel claim to have cybersecurity and data privacy expertise, few have truly risen to the top of this new cottage industry. New York’s Avi Gesser, a Davis Polk partner and publisher of an excellent cyber blog (for which the author is particularly grateful for research support to this article), and Washington, DC-based Luke Dembosky from Debevoise and a former cybercrimes prosecutor, are both outstanding practitioners in this space.

What value does outside cybersecurity-focused counsel provide when a data breach occurs?

Increasingly, organizations recognize that data breaches are no longer a matter of “if” but of “when.” According to the 2019 Symantec Internet Security Threat Report:

  • 1 in 10: URLs are malicious
  • 56%: increase in web attacks
  • 12%: increase in enterprise ransomware
  • 78%: increase in supply chain attacks

In short, malicious actors continue to evolve their threat methodologies faster than organizations can secure their ecosystems.

In the event of a breach, external counsel will be invaluable. At a minimum, counsel provides an independent perspective to both senior management and its board of directors.

Specifically, counsel can help

  • Ensure preservation of documents and information,
  • Conduct interviews of relevant personnel
  • Advise on insider trading-related risks
  • Coordinate outreach with law enforcement and regulators
  • Advise the company on its legal and regulatory obligations

In particular, counsel should advise on whether a particular cyber event triggers a legal requirement to notify one or more of the company’s customers, regulators, insurers, auditors, vendors, or even the market itself. All 50 states have breach notification laws, including standards at the federal and international levels. However, the legal framework surrounding notifications is a mess because there are different requirements as to what triggers a notification, what the notification must say, and the deadlines involved.

However, if counsel is not brought in until after the breach, it will be very expensive for a company given the amount of work that counsel will need to handle in a very accelerated time frame. Waiting to hire counsel until an actual incident occurs leaves the company vulnerable to legal liability and reputational harm. On the other hand, bringing in counsel early will mitigate that risk, and allow time for having a greater familiarity with a company’s network infrastructure and forming sound working relationships with the CISO and the legal/compliance teams.

How SecurityScorecard enables corporate counsel

With SecurityScorecard’s continuous monitoring capabilities and security ratings system that uses an A-F scale, our platform enables corporate counsel and outside counsel to help protect against cyber attacks. Additionally, the long-tail data we collect provides documentation that can assist legal counsel when looking for evidence that proves control effectiveness.

Our platform enables organizations to engage with internal stakeholders across the enterprise, providing a common language for discussing risk and security posture. Using our detailed reporting capabilities, organizations can gain insight into their own risks as well as potential vendor risks. For example, organizations with a D or F rating are five times more likely to experience a data breach. Legal counsel can use these ratings to proactively address risks and mitigate legal or compliance-based liabilities.

Moreover, in-house counsel should formulate contractual language aligning with our ten groups of factors and use the risk ratings as key performance indicators for vendor contracts. By using our factors as part of vendor contracts, corporate or outside counsel can more effectively meet the ABA vendor contract requirements.

Finally, organizations using our Atlas platform can better manage the complex compliance requirements necessary for proving a robust cybersecurity program. Our machine-learning capabilities align vendor questionnaire responses to the publicly available information gathered by our platform to provide immediate verification of controls, alerting organizations to potential risks arising from vendor control weaknesses.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube