It Can (and Probably Will) Happen to You
Between 2008 and 2010, a global hotel and resort chain headquartered in the U.S. was hacked three times. Cyber criminals stole customer information stored on servers around the world and racked up more than $10 million in fraudulent credit card transactions. Lawsuits brought by private plaintiffs and regulators ensued, alleging lax security practices. They included a derivative suit against individual members of the company’s board of directors.
But the company’s board had done its due diligence, proactively addressing cyber security by establishing policies and conducting routine audit reviews in advance of the incidents and by implementing the recommendations of outside consultants in their aftermath. The derivative suit against the board ultimately was dismissed.
The Growing Cyber Threat
This is another case in an ever-expanding list of corporations sent reeling from the far-reaching and costly effects of cyber crime. It’s also a poster child for the importance of a threat management program that is actively overseen by the company’s board of directors.
Yet many organizations are slow to take a proactive approach. According to the 2015 Global Information Security Survey by Ernst & Young, 36 percent of businesses do not have a cyber security program. Sixty-three percent say threat and vulnerability management is a medium or low priority for their organization.
This is a risky stance for a business to take nowadays. Data breaches cost U.S. companies an average of $6.5 million in 2014, up 11 percent from 2013, according to the Ponemon Institute’s 2015 Cost of Data Breach Study: United States. The average cost per compromised record reached a record high of $217, up from $201 the year before.1 But actual breach events have shown that a company’s potential for loss goes far beyond dollars and cents. Intangible damage to a company’s reputation, intellectual property, productivity and more can also take a costly toll.
A New Board-Level Duty Of Care
Given the high threat of loss, cyber security has become a “duty of care” that boards must address.
“Ensuring the adequacy of a company’s cyber security measures needs to be part of a board of director’s risk oversight responsibilities,” said SEC Commissioner Luis Aguilar in his speech, Sharpening the Focus,” presented at the 2014 Cyber Risks and the Boardroom conference.2
Even a perceived lack of diligence on the board’s part may make individual members vulnerable to lawsuits alleging breach of their fiduciary responsibility. Yet cyber security is a challenging new frontier for directors who may be intimidated by its many risk factors and technical considerations, not to mention the ever-evolving cyber threat environment that thrives on crooked surprise.
Guidelines for Getting Started
How can boards protect themselves? First, they can be reassured that they do not need to be technical experts in cyber security. Their role is one of oversight and their job is to consider cyber security from an overall risk management perspective and to be actively engaged in the decision-making process. More specific controls are the responsibility of employees who put the board’s high-level strategic direction into practice.
These guidelines can help board members get started at the right level:
- Educate yourself on cyber regulations on the state and federal government levels and the steps they mandate in the event of a breach.
- Understand the company’s potential cyber exposure, including the sensitive information it holds, where it’s stored, how it’s protected and the potential threat actors from within and outside the company.
- Leverage third-party expertise to evaluate the company’s cyber risk, assist in developing its strategy, consult on security issues and respond to board questions.
- Ensure that management has a well-thought out plan in place to prepare the company for the inevitability of a cyber attack, including business continuity and disaster recovery procedures.
- Cultivate cyber security as a company-wide concern. Require security awareness training among employees and ensure that administrative privileges are robust and assigned to the right people.
- Require third-party providers and vendors to be thoroughly vetted to ensure they are not a potential source of a cyber attack. If they are an Internet service provider, ensure that they can also effectively respond to and recover from an attack on their own network.
- Establish a reporting structure that assures ongoing and direct board knowledge. For instance, the company’s security officer may meet with the full board or a special cyber committee of board members on a monthly or quarterly basis to review any incidents, their cause and corrective action needed.
- Maintain a factual record of cyber incidents, their frequency and severity, and what was done in response. Document the board’s involvement and the rationale for all of its risk management decisions, including those that are proactive. It was the hotel company’s extensive documentation of the board’s discussions and decisions that cleared its directors of negligence.
- Get insurance to protect the company from the cost of a cyber attack as well as its board and officers from lawsuits filed for breach of fiduciary duty.
Transferring the Risk with Insurance
Cyber crime is pervasive. It’s only a matter of time before any given business becomes its hapless victim. Insurance can help fill the gap of a potentially large financial loss that may arise as a result.
Two types of cyber-related coverages are essential for corporations that rely upon the Internet for any aspect of their business:
Comprehensive cyber liability insurance offers crisis management expertise in the event of a breach and can pay for first- and third-party costs associated with it , including (but not limited to) expenses related to the investigation, customer notifications, credit and identity theft monitoring, privacy and security liability, business interruption, legal costs and regulatory fines.
Directors and Officers (D&O) insurance protects the personal assets of a business’s directors and officers if they are sued for actual or alleged wrongful acts committed in managing the company.
Stand-alone coverage for both eventualities will ensure comprehensive, tailored protection against the pervasive risk of cyber attacks that are growing in frequency and magnitude.