Cybersecurity and the board: avoiding personal liability — Part III of III: Policies and procedures
In the previous two installments of this series (Part I and Part II), we discussed the fiduciary obligation of officers/directors to proactively address cyber security and the legal basis for holding them personally liable if they fail to do so. This third and final article explores the more difficult task of deciding which best practices directors should consider adopting. Because each enterprise faces unique challenges, this process requires that directors understand their company’s cyber security risk profile and the options available for mitigating the risk.
When deciding which policies or procedures to adopt, boards should consider how their decisions will be viewed after an incident occurs. Following a loss or serious data breach, the various interested parties – stockholders, regulators, customers, politicians, media, and courts – will seek to assign blame. This chorus of finger pointers will inevitably be looking through the distorted lens of hindsight. Directors will not be accorded the benefit of the doubt, the presumption of good faith will be thrown out the window, and a conscientious cost-benefit analysis will be characterized as a deliberate decision to sacrifice data security on the altar of corporate profits.
So how can a board of directors ensure their decisions will withstand the scrutiny of 20/20 hindsight?
First, directors should understand their company’s cybersecurity risk profile, which is a combination of how likely it is a company will suffer a cyber attack and the severity of the consequences that may flow from an attack. Next, boards should examine measures adopted by companies with a similar risk profile and consider whether those policies would work in their organization. Boards should also review the recommendations of experts in the areas of cybersecurity and corporate governance to see which best practices are being endorsed. Following these steps will not guarantee safety from an attack or invisibility from second-guessers, but it will allow boards to demonstrate their careful consideration of the issue and how the procedures ultimately adopted were in accord with industry practice.
Cybersecurity risk profile
Every company will have a unique cybersecurity risk profile, falling within a spectrum ranging from high to low risk. Higher-risk companies will be expected to expend greater resources protecting their cyber assets by implementing more comprehensive measures as compared to a low risk enterprise.
Companies in the financial industry are exposed to high cybersecurity risk. For these companies, it is not a question of “if they will be attacked” but of “when and how frequently they will be attacked”. Financial companies may also suffer more significant consequences in the event of an attack. In addition to losses ranging from tens to hundreds of millions of dollars at the hands of cybercriminals, this is a heavily regulated industry subject to myriad state and federal regulations governing the protection of customer information. Many of these regulations call for the levying of hefty financial penalties for even minor infractions and data breaches.
More often than not, companies will fall somewhere in the middle of the risk spectrum. So it is important that companies do not mechanically apply risk factors or overemphasize one factor over the other, such as focusing on the likelihood of an attack and not considering its potential impact. For example, critical infrastructure companies engaged in transportation, electrical generation/transmission, or oil and gas production may have a moderate to low risk of suffering an attack as compared to financial institutions. But they nonetheless have a high cybersecurity risk profile because an attack could cripple large segments of the country and economy.
On the other hand, there are companies viewed as having a low-risk profile because the harm from a breach is presumed to be insignificant. This assumption, however, can be disastrously incorrect. This was shown when a recent breach of the Associated Press’s Twitter account resulted in a “tweet” stating that President Obama was injured in an explosion at the White House. Within three minutes of the “tweet” being sent, virtually all U.S. markets went into free fall, wiping out $136.5 billion of the S&P 500 index’s value.
Speak to your peers and experts
Once directors understand their company’s risk profile, they should consider how similarly-situated enterprises are addressing cybersecurity at the board level. Although a market check is helpful, following the pack should not lull directors into a false sense of security. Unfortunately, many companies are just now focusing on cybersecurity, and there are significant disparities across industry groups and geographic locations.
As evidenced by a 2012 governance survey conducted by Carnegie Mellon University CyLab, with regard to U.S. boards of directors, 71 per cent rarely or never review privacy and security budgets, 79 per cent rarely or never review roles and responsibilities, 64 per cent rarely or never review top-level policies, and 57 per cent rarely or never review security program assessments.
These statistics are surprising on their own, but they are truly shocking when one considers that 75 per cent of the respondents were from critical infrastructure industry sectors, primarily the financial, energy/utilities, IT/telecom, and industrials sectors. These sectors all have a high-risk cybersecurity profile.
The CyLab report also revealed troubling discrepancies when American companies are compared to their European and Asian counterparts. While only 28 per cent of U.S. company boards have established a risk/security committee, nearly 60 per cent of European and 95 per cent of Asian companies have such committees. Of this group, only 35 per cent of the U.S. companies have a risk committee separate from the audit committee, compared with 76 per cent of Asian companies. Similarly, only 44 per cent of U.S. boards review top-level security policies, compared with 62 per cent of European and 67 per cent of Asian companies.
These findings support the conclusion that U.S. companies continue to lag behind European and Asian boards when it comes to understanding key activities associated with privacy and cyber security governance.
Akin to the geographic disparity, there are significant differences in how various industry segments address cyber security. For example, the CyLab report found that the financial sector is substantially more likely to have a separate risk committee than are companies falling within the critical infrastructure segment. But, the boards for old-line industrial companies are much more focused on ensuring they have adequate cyber insurance coverage than are the higher-risk financial companies. And, although IT telecom companies place significantly more emphasis on having board members with technology experience, they rarely establish board IT/technology committees. This inconsistency is also present in the area of privacy, where IT/telecom companies are least likely to have a chief privacy officer, even though they have some of the most stringent privacy compliance programs.
Taking into consideration everything that has been discussed above, and in the prior two articles, it is now time to discuss exactly what protocols a good, conscientious board should adopt. Fortunately for corporate boards, a number of organizations have compiled extensive recommendations and best practices for addressing cyber security. Two widely recognized groups whose recommendations should be considered are the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). Both the ISO and NIST focus on promulgating widely accepted best practices and standards in a multitude of areas, including cyber security.
There are, however, a number of recommendations falling within the classification of low-hanging fruit that all boards should consider when contemplating the adoption of comprehensive cyber security policies.
For starters, boards should be informed. An obvious first step is for directors to demand regular reports from senior management on privacy and security risks. Ideally, reports would be made to a risk committee with responsibility for enterprise risk, including IT risks. It may be advisable for the risk committee to be separate from the audit committee and report directly to the full board. Boards should also seek to recruit directors with IT governance and cyber security risk experience. All too frequently, boards have no IT experience and are forced to rely upon their technology departments. This reliance undermines the board’s ability to critically and independently evaluate security policies.
To help ensure that risks are regularly monitored, there should be a cross-organizational team of senior executives that is required to meet at regular intervals to coordinate and communicate on privacy/security issues. This committee can go a long way toward developing a culture of healthy respect for cyber security and serving as a central location where various organs of the company can coordinate security programs. Because funding is crucial to any successful effort, boards should review privacy/security budgets and direct sufficient funding to cybersecurity initiatives.
To ensure that their company is well positioned to respond to a cyber attack, it is imperative for boards to regularly review their organization’s incident response programs. Given the lightning speed at which the Internet operates, and at which data can be stolen, companies cannot wait until after a breach has occurred to formulate a response. Rather, companies need to have a well thought-out and comprehensive plan to address a cyber security breach. This would include protocols for internal notification and communications regarding a breach. A plan should establish clear chains of authority for stopping a cyber intrusion, securing data networks and implementing disaster recovery steps on a priority basis. Incident response plans must address external breach notifications to customers, the markets, employees and, if necessary, the appropriate authorities.
Last but certainly not least, directors should require a comprehensive review of their organization’s insurance policies to determine whether, and to what extent, they have coverage in the event of a cyber attack or breach. This process should include an assessment of the company’s cybersecurity risk profile (as discussed above) and the creation of potential loss valuations to make sure that appropriate levels of insurance coverage are maintained.
Cyber insurance should cover both internal and external related losses. Internally, insurance should at a minimum pay for business interruption expenses, legal expenses, loss of digital assets, and security event response costs. Externally, there should be coverage for third-party damages, credit-monitoring expenses, postage, advertising, and customer notification – just to name a few.
The fiduciary obligation of officers and directors to proactively address cybersecurity risks cannot be seriously disputed. Neither can the risk to companies’ important data posed by cyber criminals, foreign governments, employees and simple negligence. The failure to address these risks can expose companies and their stockholders to significant financial losses and directors to potential personal liability. To avoid this outcome, directors need to proactively adopt best practices and policies to combat the cyber security threats facing their organization.
(Steven L. Caponi is a partner at Blank Rome LLP. His national litigation practice covers all facets of business litigation, including corporate and IP matters, cybersecurity, M&A litigation, and securities litigation. He can be reached at Caponi@BlankRome.com.)
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)