Business Journal Ask the Expert Column – 2018

Could cyber security legislation put my business at financial risk? Yes, without question. In the wake of the Equifax breach, Washington is poised to enact harsh financial penalties that could cost businesses millions or even billions in fines if they are found to be negligent or lacking in their cyber security practices. The number of people impacted by Equifax and other well-known intrusions are placing pressure on politicians, who will probably rush to enact legislation that gains voter attention through corporate financial penalties. By creating harsh fines rather than implementing a uniform set of cybersecurity standards and practices for businesses of all sizes, many companies could be placed at risk levels that could result in bankruptcy in the event of a breach.
Will there be increased accountability for Executives and Directors? It’s not a question of will there be increased accountability but how quickly will legislation be enacted at either the state or federal level. There was a time when companies, executives, and Directors were seen as innocent victims when attacked by cyber criminals. But now, the public views companies and the individuals who guide them as overly complacent and not focused on protecting innocent consumers from cybercrime. If C-level Executives and Directors are found to be anything other than reasonable and prudent in their approach and administration of cyber security, they will be held personally accountable to such a degree that careers and personal finances could be irreparably damaged. Today, consumers have a zero-tolerance policy for companies who fail to protect personal data and assets. Pandora’s box is wide open.
Will legislation address B-to-B issues as well as consumer? Imagine the damages and litigation stemming from a breach where one company is hacked and the shared data, trade secrets and/or intellectual property of a second company is compromised. The potential losses, damages and liability are nothing short of a simmering powder keg. At SpearTip we have worked diligently with clients for years, advising on best practices to protect not only internal assets, but external assets and pathways that could allow a potential breach to extend to a partner or vendor company. Some companies understand the wisdom of proactively fortifying networks and systems to protect their business partners, while others are singularly focused on their individual assets. If you’re not thinking big picture when it comes to cybersecurity, you’re leaving yourself vulnerable.
Are there any industries you see at significant risk? Financial and Healthcare-related institutions. These types of operations are often rich in data and have significant financial holdings, but often lack the budget for needed cyber security tools, training, and experienced personnel, making them easy targets for breaches and increasingly, ransomware. Criminals, particularly organized syndicates, are targeting organizations that are often virtually defenseless against a sophisticated attack.