/nov 5, 2015

Cybersecurity and Corporate Liability

By Eric Seymour

Security is now the second leading risk to a company’s brand – ahead of traditional risks related to safety, health, and the environment, according to Deloitte. It should come as little surprise that legal risk related to cybersecurity is becoming a major concern for corporate directors.

Pressure is building for boards and management teams to deal with cybersecurity issues that can impact their brand and erode valuation. Based on a survey of nearly 300 board members by NYSE Governance Services, 9 out of 10 board members believe regulators should hold businesses liable for cyber breaches if due care has not been followed to secure customer data.

Key questions raised by the survey highlight the debate needed to frame the liability issue. For example: When should a company be considered negligent in its processes—or lack thereof—for securing sensitive information? What constitutes ‘reasonable’ efforts to address vulnerabilities in web and mobile applications, libraries and frameworks, and other components in its digital infrastructure? Should companies be held liable for not finding a common and easily-found vulnerability such as SQL Injection? Is it a minimum ‘standard of due care’ to patch widely-known vulnerabilities such as Heartbleed, and should businesses be held liable for failing to do so?

Take a look at the full report to for usable insights for CISOs.

Related Posts

By Eric Seymour

Eric manages global public relations at Veracode. In this role, he manages all facets of the company’s PR efforts. He brings more than 13 years’ experience in the industry. Prior to Veracode, Eric ran public relations activities for CyberArk across the US, EMEA and APJ.