On November 8, 2023, Paul Hastings hosted the Cybersecurity Law Workshop at this Fall’s Privacy + Security Forum with a panel on cybersecurity governance and incident response. The panel was moderated by Paul Hastings Associate David Coogan, and featured Anthony Marmo (Deputy General Counsel, PNC), Akshay Dhawan (Managing Director, Cyber Risk and Cloud Services Leader, Ankura), and Mari DeGrazia (Director, Digital Forensics and Incident Response, ZeroFox).

The panel provided various perspectives on cybersecurity governance and controls, Chief Information Security Officer (“CISO”) qualifications, and modern incident response. Additionally, panelists discussed the various issues companies are facing with respect to AI, social engineering, and data breach reporting obligations.

Here are some of the main takeaways from the panel—

Cybersecurity Governance and Controls. Panelists highlighted common themes that make a good governance program, specifically calling for increased transparency and accountability, board member training, and strategic implementation of security policies and procedures. Additionally, in light of recent enforcement actions, panelists emphasized the need to be proactive in preparing for cybersecurity incidents, such as conducting tabletop exercises and identifying gaps in compliance.

CISO Qualifications.  Next, the panel discussed the key qualities of a good CISO. With examples of the personal liability of senior executives on the rise, including liability of CISOs, panelists discussed three core qualities that make for a strong CISO: (1) being a strategic leader; (2) acting as a team player; and (3) having up-to-date technical expertise.

Challenges to Modern Incident Response. The panel closed out with a conversation on modern incident response. Panelists discussed various differences in modern incident response, as opposed to past years, calling out key issue-areas, such as increased reliance on cloud service providers and SaaS providers, more sophisticated social engineering attacks, and the emergence of AI as a tool used by threat actors.

What Companies Should Do Now:

Based on the issues discussed above, organizations should consider taking the following steps:

• Review current incident response plans and make updates as needed to comply with current laws.
• Invest in privacy and cybersecurity training for the board and members of the C-suite.
• Evaluate cybersecurity risks posed by third-parties, including robust third-party vendor management procedures and strong contractual terms in the event of a third-party security incident.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. This Fall’s Forum took place from November 8-10^th in Washington, D.C.

If you have any questions about the issues discussed in this blog post, please do not hesitate to contact any member of our team.