CEOS and Boards of Directors:

Take control of cybersecurity liability


CEOs Take Control of Cybersecurity

Why Does the CEO Need to Take Control of Cybersecurity?

Your CEO and board of directors are the legal owners of your IT systems. They are legally accountable for cybersecurity. They are accountable to parties that share confidential information with you. This includes:

  • Customers
  • Shareholders
  • Investors
  • Patients
  • Joint Venture Partners
  • Limited and General partners
  • ERISA employees and others who entrust data with your firm.

Learn How Key Leaders Demonstrate Due Diligence 

If you are attacked, your CEO and board of directors may need to defend themselves personally in court. Stakeholders will seek accountability if their confidential data is compromised.  The CEO is uniquely, personally accountable to stakeholders as a fiduciary. With regard to cyber security, the CEO has a personal, legal duty to put stakeholders' interests ahead of their  own. In the eyes of the law, the CEO and Board  are the human embodiment of the organization.  To defend a claim that fiduciary duty was breached, a CEO must prove that he or she exercised due diligence over IT cyber security.

What if a CEO Fails to Exercise Due Diligence?

As the articles in this website's CEO News make clear,  there is a growing trend to treat CEO liability as a personal matter.  Prior to the 2010  Enron scandal,  CEOs and directors could rest assured that the corporate veil could shield them from personal responsibility for damages resulting from unreasonable risk-taking and wrongdoing in the corporate name.   The Sarbanes–Oxley Act of 2002 (SOX) was passed to address the issue of CEO liability for corporate malfeasance. While SOX is specifically directed toward the accuracy of financial information, it reflects a growing trend demanding CEO personal responsibility for corporate acts. Corporate executives and boards that are relying on Supreme Court cases like Citizen's United as a shield against corporate malfeasance are misreading the law to their own peril.

How Does TEMVI Help CEOs and Board Members

TEMVI helps CEOs and board members understand their legal duties around cyber security and teaches them how to manage the senior executive team according to recognized cybersecurity models. Our counsel helps CEOs protect:

  • Assets from cyber-related legal claims
  • Personal and professional reputation
  • Freedom from civil and criminal liability
  • Insurance claims and insurability around cyber incidents

What Is the Key to Limiting the CEO's Legal Liability From Cyber Attacks

The key to limiting liability from cyberattacks is active management of the CEO's senior executive team. Active management includes prioritizing and measuring progress toward specific cybersecurity goals for all of the CEO's direct reports (i.e. technology and non-technology executives).  Our services are provided directly to the CEO and board:

  • From an executive leadership perspective
  • Based on your business plan, market and industry
  • According to your business priorities
  • In plain business English

How is TEMVI Different From My Current IT Cybersecurity Provider

In our experience, your IT provider is likely doing an adequate job.  However, most CEOs and boards would be hard pressed to explain why or what they are doing. IT and cybersecurity are--in many ways--a "black box". In most cases, CEOs and boards are trusting their IT team. However, your IT provider is neither qualified nor legally permitted to offer legal opinions on issues like legal  cyber risk and liability.  Nor should your IT team evaluate their own work. Unlike IT operations, flaws in cyber security are invisible to system users. You will only know that your trust was misplaced after an attack. The worst part is that following an attack the IT team simply moves on to another job. The CEO and board of directors will be left to grapple with the consequences of the cyber attack. 

TEMVI provides leaders with:

  • A legally reliable legal opinion on cyber risk based on established cyber security standards of care and applicable law
  • Direct advice to the CEO and Board
  • Advice at reasonable, fixed fees that are proportional to your organization's revenues

About Us

The Problem We Solve CEOs and board members are personally responsible for cybersecurity. Following a cyberattack, injured parties will often seek to hold CEOs and board members legally responsible for damages. Under the law, CEOs and directors are considered fiduciaries and are personally accountable for damages suffered. Our Mission Mastery of cybersecurity is a required core leadership competency for most organizations in the current world. TEMVI provides affordable, easy-to-understand and follow cybersecurity roadmaps for leaders who wish to master the management and security of information. Information is the core of our knowledge-based society and is the cornerstone of our ability to collaborate. Accurate, secure information is the core of every modern enterprise, government and society. We strive to lead the effort to encourage the spread of this knowledge throughout the world. Our Firm TEMVI, PLLC is a law firm with deep cybersecurity expertise. We help CEOs and board members understand and manage their cybersecurity duties. Failure to manage these duties could result in civil or criminal liability for CEOs or board members. The Internet has become more and more connected with the physical world. Following a cyber attack, the cars, trucks and machines connected to the Internet can malfunction. Parties sometimes are seriously injured or die from these malfunctions. Injured parties typically will name CEOs and board members--in their personal capacity--as defendants in legal actions. Our attorneys and engineers have more than 30 years of experience understanding and managing this cyber risk. TEMVI is led by Donald Temple, Esq.,, Dr. Timothy McKnight, MD,MHS, Thomas View, Esq. and Bruce Hargrave, CISSP. TEMVI, PLLC is a joint venture between TEMVI, PLLC & Team Consulting, Inc.

WHY YOUR ORGANIZATION NEEDS TEMVI

All organizations use some form of cybersecurity. But did you know that —by law--you must verify that your level of protect ion is adequate. As a CEO or board member, what assurance do you have that you will not be held liable in the wake of a cyber attack on your organization? Ask your current cybersecurity provider if they offer you any of the following: LEGAL ASSURANCE AGAINST CYBER RISK Do they guarantee that their services will offer you sufficient protection from third-party liability if you are attacked? TEMVI provides CEOs with a guarantee that their oversight is legally sufficient. Seeking and following legal advice protects you from liability. CONFIDENTIALITY OF DATA If you are sued, your IT and cybersecurity vendors can be called to testify against you. Their work for you can also be subpoenaed by the government or a plaintiff. TEMVI—as lawyers—must protect your privacy. We can never disclose your information to any party for any reason. This includes the government or law enforcement. ADMISSIBILITY OF EVIDENCE IN YOUR DEFENSE TEMVI gives you a legal assurance that evidence--in your defense--will be admissible in court. INSURANCE CLAIM ASSURANCE Did you know that your Errors and Omissions or Cybersecurity Insurance policies require "legal due diligence" as a condition of paying any claim? Many parties only discover that they have not met this high and specific standard following an incident from the Insurer’s attorney. TEMVI assures you that your cyber-insurance policy will pay your claims. Essentially, we provide your board and CEO with the peace of mind that comes from knowing that all parties who touch, connect with, or use your IT system will be doing so with legally appropriate CEO and board oversight. We look forward to having a conversation to help you negotiate this exciting process. Thomas View, Esq. General Counsel and Managing Director TEMVI, PLLC

All Companies Must Resist the Urge to "Game" New SEC Cyberattack Disclosure Regulations

This article explains the pitfalls associated with a failure to exercise forthrightness and candor under new SEC disclosure rules.

Read More

Baby Dies After Hospital Hit by Ransomware Attack: Suit Follows - Copy

This article explain how hospitals can be affected by ransomware attack which may pose a serious danger to the very existence of the health care provider.

Read More

Ransomware Attack on Delaware Mental Health Provider Could Result in $400,000 in HIPPA Fines

HIPPA fines resulting from ransomware attacks are real for health care providers--including mental healthcare providers. DGS had become the victim of a ransomware attack that had locked up the patient records. Those records contained personal information, such as name, address, birth date, social security number, and medical information. To secure release of the records, DGS was required to pay a “ransom,” in exchange for a de-encryption “key” that unlocked the records. Because there is a strong possibility that records had been accessed, corrupted or exfiltrated, DGS was forced to undertake the expense of notifying victims and offering them other services and supports in addition to paying the ransom demand.

Read More

Rep. Warren Wants Jail Time for CEOs

This article explains how public frustration with cyber attacks is driving calls to jail CEOs who are careless with data entrusted to their organizations.

Read More

The People Are Growing Impatient

This article elaborate how cyber attacks are motivated through financial wise , terroristic approach, and also political means hence why CEOs must go a long way not only just securing lives and property but also avoiding lawsuit to protect their reputation, assets and freedom.

Read More

Biden's Cybersecurity Order

This article illustrated why government demand accountability from CEOs in order to curb future occurrence of cyber attacks.

Read More

What is Driving The Trend Toward CEO Personal Legal Liability

This article explains why CEOs cannot use corporate immunity as a camouflage for criminal negligence or irresponsibility towards the citizens.

Read More

Colonial Pipeline CEO Faces Liability for Cyber Attack

This article gives an explanation on how the largest fuel pipeline company was crippled by the activities of cyber attackers thereby resulting to fuel shortage.

Read More

75% of CEOs Liable for Cyber Attacks

This article explains why CEOs should act now to get ahead of personal liability (civil or criminal) for cyber attacks on their companies.

Read More

CEOs Incarcerated for Cyber Attacks

This article explains exactly how CEOs can be held civilly--and in some cases criminally--responsible for damage resulting from cyber attacks on company computer systems.

Read More


WHY TEMVI?

TEMVI arms healthcare CEOs, board members and partners (Fiduciary Leaders) with the tools needed to defend against ransomware attacks and limit the legal liability increasingly associated with them. TEMVI’s team of lawyers, engineers, and Certified Information Systems Security Professionals will work with your healthcare organization to:

  • Help CEOs and boards understand and manage the liability posed by cyber attacks
  • Help CEOs and boards understand and manage responsibility under regulatory frameworks like HITRUST, HIPPA and FISMA
  • Help CEOs and Boards  prioritize and manage a plan of action to address the vulnerabilities that they face.

It is important to recognize that Fiduciary Leaders of medical service providers can face personal civil or criminal legal liability where their oversight of cybersecurity is deemed negligent.

Accordingly, Fiduciary Leaders need independent  legal assurance around the work of employees and vendors who program, maintain and configure the organization's IT systems.  TEMVI provides Fiduciary Leaders with the legal assurance that their IT systems will not pose civil or criminal risk to the organization or to individual leaders personally. 

Read more about your risks and why you need a Legally Assured System Security Plan from TEMVI.


Healthcare CEOs, Board Members and Partners Must Know and Act on Cyber Risks


As a healthcare provider, you are tasked with protecting highly sensitive and valuable data. The extremely high value of medical and healthcare-related records (e.g. patient treatment records, insurance records, prescriptions related to controlled substances, Medicare and Medicaid records etc.) in the criminal underworld makes hospitals and healthcare systems uniquely vulnerable to cyber attacks.

Attackers are looking for valuable computer records which include:

  • HIPPA-protected patient treatment records.
  • HIPPA-protected patient personal information (e.g. medical history, financial information, driver’s license, social security number etc.)
  • Personal and organization insurance records
  • Patient prescription information,
  • National Provider Identifier (NPI) information.
  • DEA Registration Numbers
  • DEA Registration Application information (e.g. Tax ID numbers, and prescriber login information for DEA databases)
  • Information from Completed DEA Form
    • DEA Form 224a – Retail Pharmacy, Hospital/Clinic, Practitioner, Teaching Institution, or Mid-Level Practitioner
    • DEA Form 225a – Manufacturer, Distributor, Researcher, Analytical Laboratory, Importer, Exporter
    •  DEA Form 363a – Narcotic Treatment Programs
    • Cyber Insurance
    •  DEA Form 510a – Domestic Chemical Confidential personal and professional background information provided by treatment professionals (e.g. Information pertaining to controlled substances, in the applicant's background.)
  • Drug codes and chemical codes
  • Medicare and Medicaid records etc.
The great investment that the criminal underworld makes in attacking hospitals and healthcare systems makes them uniquely vulnerable to cyberattacks. Researchers have noted a steady increase in ransomware attacks in 2020 and this trend is expected to continue well into 2030.
Ransomware attacks on medical systems threaten the provider's ability to provide care and ensure that patients’ sensitive data remain protected from bad-faith actors.

Attackers know that threatening healthcare system data holds lives at stake. Their attacks lock hospital IT desks, electronic health records (EHRs), payroll programs, and other vital digital tools, leaving critical infrastructure inaccessible for days and weeks.

Meanwhile, the CEO and board must scramble to determine whether and how to meet the ransomware demand. Typically, during this period, unaffected parts of the hospital’s computer network will be shut down to prevent further damage to the hospital IT system. In the wake of an attack three very serious problems must be addressed given the unavailability of the provider’s computer system:

  • Hospital staff must guess which patients were scheduled for appointments
  • Many critical procedures will need to be rescheduled
  • Many patients must go to other hospitals for treatment


More than 1 in 3 health care organizations globally reported being hit by ransomware in 2020, according to a survey of IT professionals. What’s more, the sector experienced a 45% uptick just since November 2020, according to HealthITSecurity.

Given the extreme vulnerability of healthcare providers, it is prudent to assume that your organization will be the subject of an attack and invest resources into monitoring and mitigation efforts to minimize damage and legal liability associated with the inevitable attacks.

Risk of cyberattacks on healthcare providers in the COVID era have grown at a geometric rate. Nearly half of all U.S. hospitals disconnected their networks in 2021 due to ransomware attacks according to a study from Philips and CyberMDX.  For example, in late 2021, dozens of hospitals and clinics in West Virginia and Ohio canceled surgeries and diverted ambulances following a ransomware attack that knocked out staff access to IT systems across virtually all operations. 

These facilities are owned by Memorial Health System, which represents 64 clinics, including hospitals Marietta Memorial, Selby General, and Sistersville General in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio.  




In addition to ransom payments, a typical hospital will suffer an uninsured loss of about $3.5 million in revenue associated with legally required notifications to affected parties and IT work necessary to “scrub” network systems and restore hundreds of affected computers. While actual ransomware payments are designed to be affordable and paid (e.g. often less than $35,000), the real effect of the attack comes after the payoff in the form of:

  • Risk of death or other threats to patient welfare as a result of disruption in operations.
  • Loss of revenue from procedures not performed.
  • Diminished hospital reputation 
  • Exclusions from cybersecurity insurance and increased cost associated with future insurability

1 Leventhal,  Ransomware Attacks on US Healthcare Organizations Cost $20.8B in in 2020,Comparatech, 2021
Most losses from a cyberattacks are not covered by so-called "cyber insurance". Cyber insurance policies typically require the insured to attest to a very specific level of cybersecurity “hygiene” at the time the policy is written. Following an attack, the insurer’s forensic examiners will seek to confirm proper exercise of cybersecurity due diligence by the organization's leadership. Without proper guidance, these standards are rarely met and coverage is often denied.

While close inspection of a cyber-insurance policy might find limited coverage for ransom payments and payment of fees associated with notifying affected individuals, indirect losses (e.g. lost revenue, lost reputation, losses injured third parties etc.) are not typically covered. Moreover, social engineering attacks--the greatest threat to your cybersecurity--are typically explicitly excluded from most cyber insurance policies.
CEOs, board members and partners in any organization can face civil or criminal legal liability where oversight of cybersecurity has been deemed negligent and an attack is the proximate cause of death or bodily injury.  In most information-based business, the threat of death or bodily injury—while possible—is often indirect and fairly removed from the leaders’ stewardship of IT security.  In healthcare, death and bodily injury—even under the best of circumstances--are integrally connected with treatment. These claims are typically considered the most serious and are sometimes the source of criminal liability
The COVID-19 pandemic has resulted in an enormous increase in strain on our healthcare systems and increased the risk involved with any breach of data or obstacle to providing care.  The COVID 19 Pandemic has been the most urgent health crisis facing humans on planet earth.

The pandemic has put an enormous strain on our healthcare  systems and increased the risk involved with any breach of data or obstacle to providing care. Sudden and drastic increases in telework, distance learning, streaming entertainment and gaming has driven a geometric increase in internet use. At the same time, the on-site cybersecurity workforce was not immune to the diminution in force affecting all industries (e.g. quarantine, social distancing, attrition, etc.)

This has resulted in  a drastic increase in the vulnerability to cyber threats of IT systems generally. 
Healthcare providers are burdened with managing a precarious network of invaluable, under-protected information. Hackers can hold information hostage and leverage high payouts from already-exhausted healthcare organizations. These organizations often are forced to quickly disburse the funds to avoid further delays in medical care.

The threats posed to medical providers include:

  • Risk to patient life and health
  • Loss of access to medical records
  • Malfunction of electronic systems
  • Delays or forced refusals of care
  • Loss of profit.
The key to preventing these perilous attacks is a comprehensive understanding of your susceptibility to cybersecurity risks and of the preemptive steps required to address them.

“If cybersecurity isn’t one of your top two priorities, it needs to be,” says University of Vermont (UVM) Medical Center Health Network Chief Medical Information Officer Doug Gentile, MD. " He adds, “If you don’t have a very robust security profile, you’re likely to get hit".
As larger healthcare providers strengthen their cyber defenses, ransomware attacks are more likely to occur with smaller providers like Federally Qualified Health Centers.  These providers serve rural and economically disadvantaged regions and are typically poorly defended against ransomware attacks. As larger providers strengthen their cyber defenses, attackers have pivoted to smaller operations which cannot afford the high fixed cost associated with meaningful cyber defenses. While these attacks yield a smaller “take”, they can be automated to simultaneously attack multiple organizations at once.

This increased vulnerability is compounded by the fact that patient income is strongly inversely associated with morbidity and mortality. These income-related health disparities appear to be growing over time.1 Civil liability based on claims alleging death or serious bodily injury are associated with larger damage awards.

1 “Health, Income, & Poverty: Where We Are & What Could Help, " Health Affairs Health Policy Brief, October 4, 2018.
To protect a healthcare organization, CEOs, partners and board members from the risk of and liability associated with a cyberattack, it is crucial that a provider's leadership understand its cybersecurity legal risk and responsibilities. Identifying your organization’s weak spots before a hack is the best way to protect your network of information. TEMVI’s team of lawyers, engineers, and Certified Information Systems Security Professionals will work with your healthcare organization to:

  • Help CEOs and boards understand and manage the liability posed by cyber attacks
  • Help CEOs and boards understand and manage responsibility under regulatory frameworks like HITRUST, HIPPA and FISMA
  • Help CEOs and Boards  prioritize and manage a plan of action to address the vulnerabilities that they face.


Affordable Cybersecurity for Small Business 
Effective cybersecurity is not cheap. It is a state; not a device or an automated platform. It is a customized management system staffed by high-level, full-time professionals.  It typically requires an investment of thousands of hours by highly specialized lawyers, cybersecurity consultants and senior managers. Smaller operations (i.e. operations generating less than $50 million in annual revenue.) simply do not have the option to invest the $500,000 required to start the process. Smaller operations are typically left to rely on off-the shelf consumer applications and automated, cloud-based solutions.

TEMVI Small Business Solutions (TSBS)
To address this affordability issue, we have created TEMVI Small Business Solutions (TSBS). TSBS packages the legal, technical and management services into a custom-scaled yet highly effective affordable cybersecurity solution for smaller operations. Solutions to the the big crises facing our planet will require diverse perspectives. Until organizations of all sizes in our ecosystem are safe from cyberattacks, we are all vulnerable from downstream attacks via trusted connections.

CYBER-EQUITY INITIATIVE 
As well, TEMVI is launching its CYBER-EQUITY INITIATIVE  which focuses on identifying and supporting small business owners from underrepresented communities generating less than $3 million in yearly revenues with pricing and financing packages. These solutions are  scaled to the ability of the organization to pay.  (Click here to learn more)

 

CYBERSECURITY

Are your Information systems secure from hackers? Who says so? As an organization leader you need assurance in the integrity of your defenses and your information systems. Learn more here.

Click Here Now
 

INFORMATION ASSURANCE

How do you know that your enterprise technology platforms are delivering the promised return on investment? This is a CEO and Board legal responsibility.

Click Here Now
 

INFORMATION GOVERNANCE

The CEO and board of directors--not the IT team--are the chief information officers. Failure here could create civil or criminal liability for the CEO and board members.

Click Here Now

SCHEDULE A CONSULTATION

Schedule a 30-minute consultation with a cybersecurity attorney to learn more about how to protect your assets, freedom and reputation with a legal consultation.

Click Here Now
  • Washington, District of Columbia, United States

For more information about CEO and board liability, please reach out to us. A TEMVI associate will contact you to schedule a mutually convenient time for an initial consultation.

Donald Temple, Esq. BA, JD, LLM

Managing Director

LLM, Georgetown University Law Center JD University of California Santa Cruz BA Howard University

Read More  

Dr. Timothy McKnight, MD, MSHM

Chief Strategist and Advisor, Healthcare Administration

MD, Tufts University School of Medicine MS, Healthcare Management, University of Texas BS, Biology, Brown University Pediatric Residency, University of Chicago

Read More  

Mr. Thomas View, Esq., BA, JD

Managing Director

JD Georgetown University Law Center BA Oberlin College Technische Universiteit Delft University of Minnesota - Carlson School of Management

Read More  

Bruce Hargrave CISM, CDPSE, PMP, ITIL

Managing Director

University of Virginia BS, University of Maryland

Read More  

In 2022, Brooks & Associates, CPAs, LLC and TEMVI, PLLC joined forces to realize the opportunity to serve commercial and government clients in the nexus between law, cybersecurity and financial assurance.  Brooks TEMVI JV has significant past performance in the areas of cybersecurity, legal technology and cybersecurity assurance and financial management.  

Cybersecurity

In cybersecurity Brooks-TEMVI has provided subject matter expertise in the planning, execution, implementation, and management of cybersecurity for several government agencies including Federal Emergency Management Agency (FEMA) United States Secret Service and The Department of Homeland Security (DHS). Our recent work has consisted of helping Federal Government clients to   move toward compliance with the new “ZERO TRUST” mandates from Office of Management and Budget (OMB) M-22-0, manage Identity Credential and Access Management (ICAM), Information Assurance & DevSecOps, perform Threat & Risk Enumeration, Assessment Services, Cloud Security and Vulnerability Management.

Legally Assured Cybersecurity 

TEMVI Brooks JV has supplied legally assured cybersecurity advisory services to corporate clients related to programs and strategies required to meet legal obligations associated with the Federal Information Security Modernization Act of 2014 (FISMA).  Also, TEMVI-Brooks partners have provided legal assurance to government contractors who provide services to federal, state and local governments and Fortune 500 corporations.  Such projects included:•     Providing legal advice and perspective to cyber security assessments.

  • Evaluating and weighing the legal and business consequences associated with gaps in cybersecurity controls.
  • Leading business teams in negotiation and documentation of enterprise technology transactions.
  • Managing relationships with clients and program officials.
  • Overseeing and governance provision of legal, analytical support to cybersecurity assessment plans, security controls assessments according to applicable cybersecurity control frameworks (e.g., NIST, ISO-27001, FISMA, FedRAMP, SOC-2, COBIT and MARS e 2.0) project plans, project management.
  • Overseeing development of security assessment plans, risk analyses, plans for system stakeholder engagement, vulnerability assessments; Drafting and Authority to Operate (ATO) packages for system stakeholders.

Financial Management

Brooks TEMVI has assisted over 30 federal government agencies with broad based financial management support and partnered with these agencies to perform broad financial management services; and audit and attestation services. Brooks TEMVI has U.S. Department of Defense Financial Management Credentials. As a prime contractor Brooks-TEMVI has provided financial management services to several Department of Defense (DoD) components. These financial management engagements include audit remediation, accounting operations support, resource management and budget support, data analytic support, business process re-engineering support, financial management training, and program/project management.


SpeakerCamera
WHAT DO YOU NEED TO KNOW?
DO IT NOW
SpeakerCamera
WHAT DO YOU NEED TO KNOW?
DO IT NOW