Understanding Cybersecurity: Insights from Lowenstein Sandler’s Awareness Series

In a digital world where data breaches have become increasingly common, the legal ramifications of cybersecurity are more significant than ever. This reality is engagingly detailed in an episode from Lowenstein Sandler’s Cybersecurity Awareness Series, featuring a conversation between Ken Fishkin, Associate Director of Information Security, and Amy S. Mushahwar, partner and chair of the Data Privacy, Security, Safety & Risk Management practice. Let’s dive into their discussion to illuminate the complexities that organizations face regarding cybersecurity today.

Cybersecurity: A Growing Legal Risk

Cybersecurity is rapidly becoming a top legal concern for organizations. According to Amy Mushahwar, the predictable cycle of data breach responses—such as notifying individuals and providing credit monitoring—has evolved. Modern cyber incidents can restrict entire systems, compromising business flows and cash flow. These instances of cyber disruption are no longer just about compliance; they pose direct financial threats to organizations. The loss of consumer trust, alongside potential litigation costs, amplifies the risks involved in cybersecurity.

Data360 Approach: A Comprehensive Strategy

One of the stand-out elements of their discussion is the introduction of the Data360 approach. This methodology seeks to integrate various legal considerations into a unified strategy for managing data risks. Mushahwar emphasizes the importance of collaboration across different sectors of law—like healthcare and finance—ensuring that organizations are adequately protected against multifaceted data risks.

Data lawyers are not confined to one vertical; they follow the trail of information, mapping out necessary protections organization-wide. This collaborative lens can generate a more robust defense against cyber threats.

Practical Mitigation Measures

Mushahwar outlines essential measures organizations can implement to mitigate cybersecurity risks without involving legal counsel immediately. Chief among these is multi-factor authentication (MFA), a fundamental yet powerful tool in cyber defense. She stresses the necessity for not just organizations but also all vendors to enforce MFA. However, she cautions that MFA alone is not sufficient.

Organizations should also prioritize software patching, endpoint detection response (EDR) measures, and meticulous tracking of compliance artifacts. These foundational actions lay the groundwork for a strong cyber defense.

The Lawyer’s Role Pre- and Post-Incident

Pre-incident, lawyers play a critical role in establishing comprehensive cybersecurity programs. Mushahwar points out that it’s essential for legal teams to ensure that policies are not only written but effectively implemented. They need to create artifacts demonstrating compliance, engage with budget and governance structures, and provide comprehensive support during incident responses.

Post-incident, lawyers assume the role of the quarterback for the incident response team. They are integral in ensuring that legal risks are monitored and that processes are in place for effective incidents management. This dual role highlights the evolving responsibility of legal professionals in the cybersecurity landscape.

Ransomware Evolution and Reporting Responsibilities

Mushahwar offers insights on the changing nature of ransomware attacks. Instead of encrypting data, cybercriminals are now taking sensitive information without disrupting business processes. This shift complicates the decision-making process around whether to report incidents.

She emphasizes that companies must adhere to legal obligations regarding data breaches, pointing out that paying a ransom does not exempt them from the need to report if sensitive personally identifiable information (PII) is involved. This discussion reflects the delicate balance organizations must maintain between legal compliance and operational efficiency in the face of evolving threats.

Engaging General Counsel for Cybersecurity Posture

For General Counsels looking to assess their organizations’ cybersecurity postures, Mushahwar suggests building a strong relationship with the Chief Information Security Officer (CISO). A clear understanding of pain points can foster more effective resource allocation and risk management.

Moreover, General Counsel should not solely rely on CISOs to manage compliance; they should actively collect and review compliance artifacts. This creates an avenue for proactive legal engagement to fortify the organization against potential cybersecurity threats.

Unique Challenges for Large Organizations and SaaS Providers

Large organizations, especially SaaS providers, face unique cybersecurity challenges, particularly regarding vendor management. Mushahwar points out the intricacies of managing relationships with downstream vendors that have access to sensitive data. Large vendors often find themselves navigating complex regulatory landscapes that require careful communication and management.

In the event of a breach, effectively managing communications to various stakeholders—customers, investors, and the public—becomes a crucial aspect of incident response. This “breach as a service” mentality underscores the importance of customer retention, emphasizing that how an organization handles a breach can significantly impact ongoing business relationships.

Protecting Against Cyber Threats

In light of recent incidents, like the Salesloft and Drift breach, organizations must remain vigilant. Mushahwar advises maintaining a comprehensive map of integrations and vendor relationships. She highlights the importance of understanding all connections to mitigate risks effectively.

By cataloging integrations and understanding shadow IT, businesses can respond to incidents quickly and more effectively. This preparation helps reduce the reaction time and provides clarity in times of crisis.

The Importance of Continuous Cybersecurity Prudence

Cybersecurity is an ever-evolving field that necessitates continuous attention and adaptation from organizations. The insights shared by Ken Fishkin and Amy Mushahwar in their discussion provide a framework for understanding both the risks and responsibilities that come with data protection in today’s digital landscape.