How to Create a Cybersecurity Standard of Care

How to Create a Cybersecurity Standard of Care
Jake Olcott
Written by Jake Olcott
VP of Communications and Government Affairs, Bitsight

There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats.

Tugboats? Let me explain.

The T.J. Hooper

All first year law students have to take a class called “Torts” - a class about civil liability and legal duties. In that class, most students read a case from the 1930s called The T.J. Hooper. And yes, the T.J. Hooper is a tugboat.

The short story is that two barges loaded with cargo were being towed by the T.J. Hooper and another tugboat off the coast of New Jersey when a storm rolled in very suddenly causing both barges to sink.

A lawsuit was filed. The cargo holders sued the T.J. Hooper's owners to recover costs associated with the loss of their cargo. The cargo holders alleged that the T.J. Hooper would have avoided the storm altogether if it had been equipped with radios. Leaving port without a radio - which nearly every other tugboat in the harbor had properly deployed - constituted negligence.

On the other side, the owners of the T.J. Hooper argued that radios were relatively new devices in the marketplace. It was hard to know how customary or common their use was. Radios were also not statutorily required. Therefore, they did not act negligently.

The case was heard by Judge Learned Hand, one of the most famous 20th century judges (and not just for his name). Judge Hand's opinion helped established a popular way of thinking about the standard of care that companies owe their customers and shareholders that has survived to this day.

What does this case about tugboats decided in the 1930s have to do with a cybersecurity standard of care?

Today, senior executives, lawyers, and boards are all debating the appropriate standard of care when it comes to securing an organization from cyber attack. Yesterday’s stormy weather that took out the barges towed by the T.J. Hooper are today’s DDOS attacks and targeted malware campaigns. Intrusion detection systems and next generation firewalls are the modern radios.

Executives and boards are concerned not only about keeping the bad actors out of the network, but also the legal liability that comes if they fail to do so. They want to meet an industry standard of care that will protect the company in case of a storm. But what is it?

From the SOC to the BOD: The Board's Role in Cybersecurity [Webinar]

Unfortunately for modern businesses, achieving a cybersecurity standard of care is not as simple as buying a radio. There’s strategy, policy, and technology involved. Standards vary widely by industry.

Comparing Performance

To achieve that minimum standard of care, you need to ask the questions that the owners of the T.J. Hooper didn't: what are my peers doing? How do I compare? Do they have radios that we don’t have? Are they using radios more effectively than we are?