Season's greetings, dear readers. On the last day of 2017, please enjoy some thoughts on cyber and risk.
As cyber, risk and information security is such a varied and diverse landscape of experience, it is so important to listen, so as to encourage a candid exchange of ideas.
That being said, one observation, that I have observed at least twice, I feel is not evidenced by existing data: "Cyber risk disclosures always take place in hindsight".
First, let's see if we can agree that risk as a general concept is exposure to vulnerability, harm or loss. There is a moment, then, when exposure to a vulnerability goes from being a possibility to an actuality. Thus, when disclosing an event that has become an actuality ("yes, we have been exposed to this risk"), indeed, hindsight is involved. When disclosing an event of which there is a possibility of exposure to a risk, is that hindsight? Does it depend on how possible? This could be a relevant distinction with regard to the issue of how to approach materiality, i.e. the several hundred million dollar question: Was the risk material?
Second, let's talk about forseeability, a favorite concept of tort professors (and tortfeasors) everywhere. Let's use a simple definition: "the idea that a reasonable person could reasonably anticipate the result or the results, as predictable."
Alas, now that foreseeability has entered our last-day-of-the-year conversation, it's time to mention something else heard a few times: "We as attorneys went to school to practice law, and not to become experts on cybersecurity." My response to this is that yes, that is true; most of us intended to study law, and were not necessarily focused on any other particular area outside of law, BUT, the market will address this position, and by that I mean, of course, the clients will look for and find attorneys with a more expansive view.
So now let's put risk and foreseeability together:
Surfing the internet involves risk, when software runs, there is a risk it will be/has been exploited. Thus, every moment online involves risk. Every IOT device involves risk. Flash involves a GREAT DEAL of risk. When engaged in or using the previously mentioned activities or products, it's foreseeable that some types of harm will occur, and there is an entire ecosystem of services and products in existence to address some of these risks.
There are some attorneys who have indicated that the risk involved in the packaging on your clients' product being punctured is commensurate with cyber risk, which one can take to mean some attorneys believe cyber risk only involves the risk of the client's end product or service being contaminated. But cyber is more than a supply chain issue. It is a pervasive and persistent hazard that will not be adequately addressed if it is conceived as a supply chain issue only.
Now is a good time to go back to the statement: "Cyber risk disclosures always take place in hindsight". If you think about how what we are discussing here is more than a supply chain risk, that it is an issue that involves a pervasive and persistent hazard, it may help some law practitioners to move beyond that statement, and we need to move beyond that idea or there will be more blackouts, more out-of-order hospitals, and losses generally.
But it doesn't have to be that way... okay, back to listening.
See you next year.
MCC
As cyber, risk and information security is such a varied and diverse landscape of experience, it is so important to listen, so as to encourage a candid exchange of ideas.
That being said, one observation, that I have observed at least twice, I feel is not evidenced by existing data: "Cyber risk disclosures always take place in hindsight".
First, let's see if we can agree that risk as a general concept is exposure to vulnerability, harm or loss. There is a moment, then, when exposure to a vulnerability goes from being a possibility to an actuality. Thus, when disclosing an event that has become an actuality ("yes, we have been exposed to this risk"), indeed, hindsight is involved. When disclosing an event of which there is a possibility of exposure to a risk, is that hindsight? Does it depend on how possible? This could be a relevant distinction with regard to the issue of how to approach materiality, i.e. the several hundred million dollar question: Was the risk material?
Second, let's talk about forseeability, a favorite concept of tort professors (and tortfeasors) everywhere. Let's use a simple definition: "the idea that a reasonable person could reasonably anticipate the result or the results, as predictable."
Alas, now that foreseeability has entered our last-day-of-the-year conversation, it's time to mention something else heard a few times: "We as attorneys went to school to practice law, and not to become experts on cybersecurity." My response to this is that yes, that is true; most of us intended to study law, and were not necessarily focused on any other particular area outside of law, BUT, the market will address this position, and by that I mean, of course, the clients will look for and find attorneys with a more expansive view.
So now let's put risk and foreseeability together:
Surfing the internet involves risk, when software runs, there is a risk it will be/has been exploited. Thus, every moment online involves risk. Every IOT device involves risk. Flash involves a GREAT DEAL of risk. When engaged in or using the previously mentioned activities or products, it's foreseeable that some types of harm will occur, and there is an entire ecosystem of services and products in existence to address some of these risks.
There are some attorneys who have indicated that the risk involved in the packaging on your clients' product being punctured is commensurate with cyber risk, which one can take to mean some attorneys believe cyber risk only involves the risk of the client's end product or service being contaminated. But cyber is more than a supply chain issue. It is a pervasive and persistent hazard that will not be adequately addressed if it is conceived as a supply chain issue only.
Now is a good time to go back to the statement: "Cyber risk disclosures always take place in hindsight". If you think about how what we are discussing here is more than a supply chain risk, that it is an issue that involves a pervasive and persistent hazard, it may help some law practitioners to move beyond that statement, and we need to move beyond that idea or there will be more blackouts, more out-of-order hospitals, and losses generally.
But it doesn't have to be that way... okay, back to listening.
See you next year.
MCC
