Security is now the second leading risk to a company’s brand – ahead of traditional risks related to safety, health, and the environment, according to Deloitte. It should come as little surprise that legal risk related to cybersecurity is becoming a major concern for corporate directors.
Pressure is building for boards and management teams to deal with cybersecurity issues that can impact their brand and erode valuation. Based on a survey of nearly 300 board members by NYSE Governance Services, 9 out of 10 board members believe regulators should hold businesses liable for cyber breaches if due care has not been followed to secure customer data.
Key questions raised by the survey highlight the debate needed to frame the liability issue. For example: When should a company be considered negligent in its processes—or lack thereof—for securing sensitive information? What constitutes ‘reasonable’ efforts to address vulnerabilities in web and mobile applications, libraries and frameworks, and other components in its digital infrastructure? Should companies be held liable for not finding a common and easily-found vulnerability such as SQL Injection? Is it a minimum ‘standard of due care’ to patch widely-known vulnerabilities such as Heartbleed, and should businesses be held liable for failing to do so?
Take a look at the full report to for usable insights for CISOs.