Brian Craig Publishes Article in CSLR on Engaging Boards of Directors in Cybersecurity Planning
Washington, D.C. (September 18, 2020) - Washington, D.C. Data Privacy and Cybersecurity Partner Brian Craig recently published an article in the Cybersecurity Law Report (CSLR) titled, “Twelve Steps for Engaging the Board of Directors and Implementing a Long-Term Cybersecurity Plan.” The article takes the form of a checklist, which describes 12 actions that companies may take following a cyber incident to obtain top-down support and ensure successful, long-term cybersecurity for their businesses.
In the first portions of the checklist, Mr. Craig discusses strategies for communicating with the board of directors to engage its support. He notes the importance of using the momentum that arises following a cybersecurity incident to demonstrate the need for a long-term cybersecurity plan and to assemble a team to address the plan. Mr. Craig explains that this “A-team” should include an external cybersecurity lawyer and forensics squad, along with a company’s internal IT team. He recommends that members of the A-Team should seek to change board-level thinking from “’this is a technology problem’ to ‘this is a people problem.’” To achieve this goal, he suggests that a long-term cybersecurity plan should span at least 18 months and include measurable progress points. A budget that incorporates the financial commitment of various C-suite members, i.e., budget-holders, is also necessary.
In the later portions of the checklist, Mr. Craig addresses tangible components of a cybersecurity plan. These include conducting a risk assessment, completing a post-incident audit to identify the gaps in compliance against a company’s chosen security standard, and bringing the company into compliance with the standard. Moreover, Mr. Craig notes the importance of generating progress reports for the board and protecting this information by preserving privilege where it applies. He also recommends reviewing trading partner contracts to determine whether they provide protection in the event that their networks are compromised, examining federal and state regulations concerning cybersecurity programs, and delivering employee training. He suggests that a subscription model, in which a budget is committed up front and payable with each monthly deliverable, may be a steady and reliable way for companies to approach cybersecurity.
Mr. Craig is a member of Lewis Brisbois’ Data Privacy and Cybersecurity Practice. For over 25 years, he has been helping companies complete complex transactions and manage risk and compliance challenges. By using his leadership experience and domain expertise, Mr. Craig helps clients respond to serious data breach incidents and maintain compliance in cybersecurity and data protection (CIPP/E, DPA, GDPR, Privacy Shield, PECR) in industries with significant data processing, engineering, financial, and regulatory components in aerospace, telecoms, information technology, financial services and defense.
You can read the full CSLR article here.