CIO’s Role, Liability in Cyber Security Policies

CIO’s Role, Liability in Cyber Security Policies

Recently, the U.S. Office of Personnel Management (OPM) disclosed that 21.5 million people were swept up in a colossal breach of government computer systems. Basically, every person given a government background check for the last 15 years was most likely affected. According to the agency, hackers stole “sensitive information,” including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, an earlier breach that compromised the personnel data of 4.2 million federal employees, according to officials.

Now, the CIO of the OPM, Donna Seymour, faces a lawsuit for her role in failing to protect millions of personal data files of employees. The suit accuses her and others of negligence, privacy violations and other transgressions.

How does this bode for CIOS of companies? In a recent article in the Wall Street Journal, one attorney expects to see more of these types of suits. “We are absolutely going to see more CIOs and other C-level executives taking the fall and ultimately being named in lawsuits,” said Matthew Karlyn, a partner at Foley & Lardner LLP.

What’s important, said Karlyn, is that a CIO is able to demonstrate that a methodical, attentive approach was implemented to conceiving, installing, monitoring and adapting cyber security measures. “Although CIOs may be sued, they may not be judged liable if they can show proof of carrying out these fiduciary responsibilities. They have to play an active role,” Karlyn said.

Some of the issues that CIO and its board members should be asking regarding their cyber security policies to ensure that robust mitigation measures are being implemented include:

  • Is cyber security a business or IT responsibility?
  • Do security goals align with business priorities?
  • Have we identified and protected our most valuable processes and information?
  • Does our business culture support a secure cyber environment?
  • Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.)
  • Do we focus on security compliance or security capability?
  • Are we certain our third-party partners are securing our most valuable information?
  • Do we regularly evaluate the effectiveness of our security?
  • Are we vigilant and do we monitor our systems and can we prevent breaches?
  • Do we have an organized plan for responding to a security breach?
  • Are we adequately resourced and insured?

When it comes to having proper insurance, the right Cyber Liability policy should be secured to address specific operational exposures and the industry the business serves. Caitlin Morgan can help you place Cyber coverage for your insureds, customizing the coverage to respond to their unique risk profile. For more information, give us a call at 877.226.1027.