Pub. 13 2022 Issue 3

Cybersecurity Is Everyone’s Responsibility By Nicholas P. Mooney II and Alexander L. Turner, Spilman Thomas & Battle, PLLC A recent survey by PricewaterhouseCoopers (PwC) revealed that U.S. executives now consider cyberattacks the number one risk their companies face. Concerns about cybersecurity have moved beyond the Chief Information Security Officer (CISO) to the entire C-suite and corporate boards. Recent developments show executives are right to worry about those attacks because they can result in monetary loss, personal liability, and reputational risk. Litigation & Governmental Action Cyberattacks that result in data breaches often lead to litigation, but courts have been quick to dismiss lawsuits when the plaintiff complains only of a fear of identity theft or some other type of future harm. In those instances, courts have held that those plaintiffs lack the required injury-in-fact that conveys standing to bring a lawsuit. Courts also have held that companies are not required to absolutely protect customers’ and employees’ personally identifiable information (PII) but that they only need to take “reasonable” steps to protect the data they maintain. On the other hand, there is a real concern regarding possible governmental action if it is determined that officers and board members failed to take necessary steps to secure their companies’ computer networks. The Consumer Financial Protection Bureau (CFPB) recently stated that financial institutions may be in violation of the Consumer Financial Protection Act (CFPA) if they fail to take adequate measures to safeguard consumers’ data. The CFPB stated that financial institutions should implement multi-factor authentication, adequate password management, and timely software updates. Although the CFPB did not require financial institutions to implement these recommendations, it did state that failure to implement these simple suggestions could trigger liability under the CFPA. Reducing Risks for the Company The lack of a comprehensive federal cybersecurity law complicates the ability of CISOs to take steps to reduce the risk of a lawsuit or governmental action. Nonetheless, there are several steps they can take to reduce these risks: • Implement protocols and procedures that protect the company’s IT infrastructure from attack. These protocols and procedures include: o Mandatory employee training on preventing the disclosure of sensitive information o Third-party cyber assessments for all vendors o Segregation of sensitive information and requiring additional authentication to limit access to that information o Routine checks for new risks to the IT system • Be aware of the details of the company’s privacy policy and ensure the company is actually taking the steps to implement its promises to protect PII. • Be current with industry-specific laws and regulations that address data breaches and the required notice provisions to ensure those procedures and deadlines are included in the data breach response plan. • Communicate potential risks and breaches timely to upper management and the Board of Directors so they can take appropriate actions to address those risks and breaches. wvbankers.org 16 West Virginia Banker

RkJQdWJsaXNoZXIy ODQxMjUw