Security Risk Management

How to Create a Cybersecurity Standard of Care

Jake Olcott | March 18, 2015

There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats. 

Tugboats? Let me explain. 

The T.J. Hooper

All first year law students have to take a class called “Torts” - a class about civil liability and legal duties. In that class, most students read a case from the 1930s called The T.J. Hooper. And yes, the T.J. Hooper is a tugboat.    

The short story is that two barges loaded with cargo were being towed by the T.J. Hooper and another tugboat off the coast of New Jersey when a storm rolled in very suddenly causing both barges to sink. 

A lawsuit was filed. The cargo holders sued the T.J. Hooper's owners to recover costs associated with the loss of their cargo. The cargo holders alleged that the T.J. Hooper would have avoided the storm altogether if it had been equipped with radios. Leaving port without a radio - which nearly every other tugboat in the harbor had properly deployed - constituted negligence. 

On the other side, the owners of the T.J. Hooper argued that radios were relatively new devices in the marketplace. It was hard to know how customary or common their use was. Radios were also not statutorily required. Therefore, they did not act negligently.

The case was heard by Judge Learned Hand, one of the most famous 20th century judges (and not just for his name). Judge Hand's opinion helped established a popular way of thinking about the standard of care that companies owe their customers and shareholders that has survived to this day.

What does this case about tugboats decided in the 1930s have to do with a cybersecurity standard of care?

Today, senior executives, lawyers, and boards are all debating the appropriate standard of care when it comes to securing an organization from cyber attack. Yesterday’s stormy weather that took out the barges towed by the T.J. Hooper are today’s DDOS attacks and targeted malware campaigns. Intrusion detection systems and next generation firewalls are the modern radios

Executives and boards are concerned not only about keeping the bad actors out of the network, but also the legal liability that comes if they fail to do so. They want to meet an industry standard of care that will protect the company in case of a storm. But what is it?

From the SOC to the BOD: The Board's Role in Cybersecurity [Webinar]

Unfortunately for modern businesses, achieving a cybersecurity standard of care is not as simple as buying a radio. There’s strategy, policy, and technology involved. Standards vary widely by industry. 

Comparing Performance

To achieve that minimum standard of care, you need to ask the questions that the owners of the T.J. Hooper didn't: what are my peers doing? How do I compare? Do they have radios that we don’t have? Are they using radios more effectively than we are? 

Tune in on Thursday, March 26 at 11:00am EDT for a panel discussion webinar with two experts in corporate governance and legal liability, Bill Ide and Donna Dabney. We will take a deeper dive into standards of care, board reporting, peer benchmarking, and lessons to avoid the storm!

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.