With regulatory scrutiny increasing, some CISOs are partnering with their organization\u2019s legal counsel, seeking expert input to guide their compliance and risk minimization efforts. Chiara Portner, cybersecurity attorney with Hopkins & Carley, says lawyers play a crucial role in advising on risks and finding ways to mitigate them. \u201cWith the increasing regulatory scrutiny and burden, involving legal counsel in every step of the process helps companies navigate data privacy laws and security regulations effectively,\u201d says Portner.\n\nThe push for stronger regulations is coming from two fronts: government and consumer pressure, says Portner. The demands to protect consumers and keep their data secure stems from the growing awareness among people about wanting their information protected. \u201cLay people are learning about privacy and security. They're seeing more pop-ups and requests on websites or in apps and are starting to learn what those actually mean,\u201d she says.\n\nThe government's need to find and prosecute cybercriminals, many of whom reside in other countries, is shifting the burden onto organizations, according to Dave Anderson, vice president of cyber for insurance broker Woodruff Sawyer. \u201cThere has also been a contemporaneous paradigm shift such that companies who are attacked by cybercriminals are viewed less as \u2018victims\u2019 and more \u2018negligent\u2019 in their controls,\u201d Anderson says.\n\nAs the consequences of data breaches to a company's individual directors and officers such CISOs and general counsels are getting more severe, collaboration between information security and legal is becoming a baseline and reasonable minimum business practice, says Anderson. He argues that if it\u2019s lacking, it could be viewed as demonstrating immense negligence in class action litigation and regulatory investigations, which could eventually be argued in a test case. \u201cThere is a high likelihood that criminal negligence theories will be tested over the coming years,\u201d Anderson says.\n\nThe potential is something that CISOs need to take note of, according to Anderson. \u201cCISOs should lean on their company\u2019s general counsel or privacy officer to better understand the regulatory landscape their systems exist in,\u201d he says.\n\nRegulations redefining cyber risk as business risk\n\nThere\u2019s an increasingly complex matrix of regulations organizations need to comply with: all the industry-specific ones, with financial and banking the most heavily regulated, along with healthcare and bioinformatics that deal with DNA, and the expanding list of sectors defined as critical infrastructure. There\u2019s also the growing raft of country and jurisdiction-based requirements such as the European Union\u2019s General Data Protection Regulation (GDPR), of which all global, online-operating organizations face.\n\nDavid Owen, partner in cyber risk at Deloitte, says cyber regulations have evolved over the past few years to address the lack of control and decision-making in organizations. \u201cRegulations aim to reduce discretion and enhance control measures,\u201d Owen says. In particular, principles-based regulations require interpretation for effective implementation, he notes.\n\nOwen also says having legal interpretations of terms such as \u201cmaterial harm\u201d is incredibly important, ideally well before it\u2019s needed in the case of an incident. Defining the scope of material harm changes the equation on the cost of cybersecurity spending. It helps CISOs write the business case demonstrating the value of spending money on cyber to lower the risk profile, not simply to add to the bottom line. \u201cWhat regulation does for cyber leaders is to remove some of that management discretion,\u201d he says.\n\nAs the regulatory burden increases, organizations and CISOs are having to take ownership of cyber risk, but it needs to be seen through the lens of business risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is no longer simply a technology risk. \u201cThe problem is, organizationally, companies have separated those two and have their business risk register and their cyber risk register, but that's not the way the world works anymore,\u201d says McGladrey.\n\nHe believes the Securities and Exchange Commission (SEC), the Federal Trade Commission, FTC and other regulators in the US are trying to promote collaboration among business leaders because cyber risks are functionally business risks. McGladrey thinks most CISOs understand this, but that doesn\u2019t necessarily extend to the other leaders in the business. \u201cCan we just please have one risk conversation with people and plan that out appropriately,\u201d he says.\n\nHowever, not all CISOs are naturally well versed in defining the business case of cyber risk, and McGladrey believes CISOs who are more adept at articulating the business value of doing cybersecurity will find it easier to achieve buy-in, while those with a more technical background that emphasize compliance over business risk may find it more difficult to get support and budget.\n\n\u201cThe underlying problem here is that, historically, CISOs have come from an IT background. They've sounded like IT people, they've talked about IT things, and so a lot of that communication has either just not been of interest to the board or not of interest to senior executives, or the message hasn't landed,\u201d says McGladrey. \u201cThe challenge CSIOs have moving forward is how do we collectively speak to an increasingly diverse number of audiences about an increasingly diverse number of topics so that everybody understands what we're saying? With a tailored message to each of them?\u201d\n\nIn collaborating more closely with legal, CISOs can get the support they need to understand the regulatory environment for the organization and adopt the language of business risk to bolster the case for spending to meet the regulatory requirements. Yet CISOs can\u2019t be expected to stay up to date across the most recent permutations of the legal system; they lack the time and the training, and it\u2019s not their specialty. So how do they understand what\u2019s changing and avoid enforcement penalties or even litigation that could result from non-compliance?\n\nWorking collaboratively with counsel, they gain insights into what's going on in the larger world, and what risks they need to plan for. \u201cCISOs should not be responsible for figuring out all the most recent permutations of the legal system,\u201d McGladrey says. \u201cIt's not really possible as a CISO to be looking over the horizon and reading law journals and trying to parse out if they need to modify the strategy or security roadmap and plans based on either the outcomes of pending litigation or potential legislation or potential regulatory change.\u201d\n\n\u201cIt\u2019s having a discussion on say a quarterly basis about what\u2019s coming up and what they need to be aware of. If you treat legal risks as another risk vector as a CISO, you\u2019ll be better informed and able to make decisions proactively rather than reactively,\u201d says McGladrey.\n\nHolistic cybersecurity risk management with the help of counsel\n\nWoodruff Sawyer\u2019s Anderson argues that CISOs need holistic risk management, and this means identifying everywhere PII and protected data sits. \u201cOne must know what type and how much data they are responsible for,\u201d he says. This includes cloud providers, third-party vendors, or other entities in a company\u2019s supply chain that hold data. \u201cUltimately, the company collecting the information is always going to be responsible.\u201d\n\n\u201c[General counsels] or internal compliance or privacy counsel will be better served to defend their company from litigation if they can clearly separate specific data sets that may have been compromised and those data sets that have not. Relying on your CISO\u2019s effective data management and data inventory strategy is the single best way to understand your scope of liability after a cyberattack,\u201d he adds.\n\nAnderson says CISOs need both knowledge and contextualization and working closely with legal helps them shape their strategy in response to the regulatory environment and may even soften any penalties. \u201cRegulators are often more lenient on enforcement actions when the attacked company took all the appropriate actions and demonstrated a good faith effort to build a data security program that contemplates privacy and regulatory requirements upfront,\u201d he says.\n\nWith the increasingly complicated regulatory landscape, having legal interpretations and guidance is critical. Highly prescriptive regulations don\u2019t tend to consider the context, which then moves the risk onto the person who writes the control list, according to Deloitte\u2019s Owen. Whereas with principles-based regulations, the regulator is saying it wants the organization \u201cto demonstrate it's been through a thought process about it, rather than telling organizations what the control should be because it can't write regulations that consider every single context of how information will be used,\u201d he says. \u201cYou need to get an interpretation to make good business decisions.\u201d\n\nOwen, whose area of expertise is critical infrastructure, emphasizes the importance of legal guidance with principles-based regulations, as is the case in Australia. He argues there's a lot of scope to spend a ton of money without really getting to why you are doing it and what is the clear linkage to the regulation. \u201cYou can do a wonderful risk management program, which actually fails because it doesn't tie back to the current threshold tests around materiality that have been defined in law,\u201d he says.\n\nHaving an interpretation of a threshold test is hugely beneficial in the event of an incident. \u201cFor example, knowing at what point you have to notify consumers it's good to have that threshold interpreted before the incident rather than during the incident,\u201d Owen says.\n\nHyperproof\u2019s McGladrey agrees that CISOs don\u2019t want to seek definitions for the first time with their legal advisors in the midst of an incident. \u201c[Knowing those definitions] can make an incident response so much more pleasant. It's still a terrible time, but you at least trust the person you're working alongside,\u201d he says.\n\nHaving legal onside can also help CISOs in negotiations with vendor, supply chain, or customer contracts. If there\u2019s some proof required or contract terms, the CISO can get an opinion or advice before signing off on things that may be unnecessary or even unwise. \u201cThey might say: \u2018We don\u2019t need to disclose that,\u2019 or \u2018There's no value in us to have an established policy on that,\u2019\u201d says McGladrey.\n\nLegal counsel can help define risk tolerance\n\n\u201cEveryone has the same goal to make the company protected, whether it's counsel, CISOs or management team within the company,\u201d says Portner. The key is defining the risk tolerance the company is willing to accept and what this means in practice.\n\nIt goes to questions of whether certain security measures may create user fatigue, friction, or too many clickthroughs, and achieving an acceptable level of transparency. \u201cBalancing what is reasonable and makes sense, but always keeping in mind, having transparency and honesty,\u201d adds Portner.\n\nWhile legal counsel won\u2019t get to the level of recommending certain tools or platforms, they can provide advice on risk and potential liability. They can inform the risk conversation and help CISOs articulate the potential consequences of not investing in certain measures or taking specific protections.\n\nThe decision then becomes costing out how much to avoid the problem, or alternatively to transfer the problem to insurance. \u201cThat's how they can help make the organization more secure, but it's only through the counsel\u2019s contributions to the risk conversation rather than the counsel directly owning making the organization more secure because that's not in their purview,\u201d says McGladrey.\n\nDepending on the risk profile, CISOs may choose to partner with their counsel as a sounding board, making the final decisions themselves. Other CISOs may make recommendations but decline to be the final decision maker under advice from their counsel so as not to be singularly responsible, and therefore liable, if things go bad.\n\nOn the question of what personal responsibility CISOs hold, legal advice may be needed. In the US, CISOs need to know if they\u2019re named, via their role or individually, on the directors and officers (D&O) policy, says McGladrey, to understand their potential personal liability if a suit is brought against the organization. If a CISO is not on the D&O policy, that doesn't mean the corporation necessarily has to afford them extensive legal protections, he says. \u201cThis comes to having that relationship with your counsel and understanding what are they willing to cover. And what you need to retain personal counsel for.\u201d\n\nWhile some CISOs don't work with counsel in any regular arrangement, only coming together if there\u2019s a breach or incident, this may be unsustainable as the regulatory environment becomes more demanding. \u201cAs things become more contentious and more heavily regulated, that's going to be a harder position to maintain,\u201d McGladrey says.