FOR ENTERPRISE & HIGHER EDUCATION
VIRTUE
VALUE
VISION
HOW MUCH CYBERSECURITY IS ENOUGH?
- Boards and senior executives do not have the needed visibility into their cybersecurity program leaving them legally exposed and uniformed in the decision-making process.
- Traditional approaches such as third-party assessments, IRM/GRC tools, and self assessments do not address the legal requirements to mitigate the risk associated with the tort of negligence in the event of a cybersecurity incident.
COVID19
The events associated with COVID19 have challenged us as IT professionals, family members, and neighbors. As the world around us changes, so to do the resources and capabilities needed to address the challenge. The increase in social restriction is significantly increasing our dependency on IT. While most are focused on the resumption of operations, bad actors are looking to take advantage of the increased threat surface. It is never too late to plan and ensure that the appropriate policies and controls are in place for your organization. We are highly motivated to make our value accessible to everyone in these unique times. Please contact us to learn more, or schedule time to meet with an expert. For those not in the market, please take time to inventory your cyber capabilities and business continuity plans. Your organizations and communities are depending on our ability to execute effectively and securely.
BE
INFORMED
THE STANDARD OF CARE IS THE LEGAL THRESHOLD THAT REDUCES YOUR EXPOSURE TO NEGLIGENCE
The legal precedent, which applies to cyber as well, has been set by a number of critical legal cases that all leaders, CXOs, and Board Members should commit to memory.
United States v. Carroll Towing Co.
is a decision from the 2nd Circuit Court of Appeals that proposed a test to determine the standard of care for the tort of negligence.
Caremark International Inc. Derivative Litigation
is a civil action that came before the Delaware Court of Chancery. It is an important case in United States corporate law and discusses a director's duty of care in the oversight context. It raised the question regarding compliance, "what is the board's responsibility with respect to the organization and monitoring of the enterprise to assure that the corporation functions within the law to achieve its purposes?" Chancellor Allen wrote the opinion.
HOW
WE APPROACH CYBER RISK
Industry
Organization
Technology
Community
THE NEW STANDARD OF CARE
CHARACTERISTICS
of the standard of care
The standard of care is the only degree of prudence and caution required of an individual who is under a duty of care
Reasonable
In the law of Negligence, the reasonable person standard is the standard of care that a reasonably prudent person would observe under a given set of circumstances. This cannot be done alone and requires insight into the internal control posture of your peers.
Current
The standard of care is based on the current state of the environment in which you are participating. This does not only apply to your posture, but your awareness of your peers. The fact that you meet the standard today is not relevant if your peer group materially improve their maturity leaving you exposed to cyber risk.
Over Time
The standard of care is not a point-in-time threshold, meaning that you must have visibility throughout the year to ensure that you have met the reasonable standard at the point of the event. Since most security events happen outside of a scheduled window, this means that you must be aware at all times.
