Cyber Risk Is Business Risk. Is Your Board Actively Engaged?

“A board’s failure to manage cyber risks could create a threat of litigation against a company or lead shareholder groups to advocate the ouster of board members”  – former SEC Commissioner Aguilar, June 10, 2014

Probably not.  But, they’re getting there.  And it should be a priority because cyber risk is business risk.

In the past, boards have briefly discussed cyber risk during meetings at best, and at worst, have completely ignored it.  As cyber incidents, and in turn, lawsuits related to these incidents, continue to rise, boards would be wise to include the topic at every major meeting.  Particularly since recent opinion is that boards have a fiduciary responsibility to exercise appropriate oversight on cybersecurity risks.  Cyber risk is business risk, and boards should approach it as such.

Risks

Litigation against the board after a cyber incident is not uncommon, and in fact, has become almost a given.  The nature of the allegations might change, whether it’s securities litigation due to a stock drop or breach of fiduciary duty litigation, but boards continue to face lawsuits related to their duty of care or oversight.

In July 2019, Capital One disclosed a breach that involved the personal information of over 100 million customers in the U.S. and another 6 million in Canada.  Following the disclosure, the company’s share price dropped approximately 6%.   In October, a plaintiff shareholder filed suit alleging a number of statements Capital One made about its data security in its SEC filings were materially false and misleading.  These inevitable lawsuits raise a number of questions related to the board’s cybersecurity efforts.  Was the board fully apprised of the cybersecurity posture of the company?  Did they receive regular updates from management?  The ultimate question is really whether they satisfied their fiduciary duty.  Ideally, the board will be able to show it was proactive about cybersecurity.

The regulatory landscape continues to evolve, as well.  The EU’s General Data Protection Regulation (GDPR), the New York Department of Financial Services Cybersecurity Regulation, and the recently enacted California Consumer Privacy Act (CCPA) have increased the need (and desire) for cyber compliance.  Federal privacy legislation has been discussed in great depth, but has yet to pass, which means companies must be prepared to comply with the patchwork of state and foreign regulations currently in play.  That’s a daunting task without board assistance.

Members of Congress have been attempting to address data privacy and cybersecurity, including through SEC involvement.  In March 2019, Congress reintroduced legislation from 2017 that would require publicly traded companies to notify the SEC whether any members of the board are cybersecurity experts.  If the board does not have a cybersecurity expert, the company must explain why the expertise is not necessary.  The legislation is unlikely to pass soon as there is disagreement over the definition of “cybersecurity expert,” among other terms.  Whether or not these efforts ultimately pass, the legislation sends a clear message – cybersecurity needs to be a top priority.  Foreign regulators have already sent this message through large fines against British Airways, Uber, and Marriot.  Companies should be prepared to answer questions when the regulators come knocking.

Challenges

One of the challenges: communication between the board and the CISO (or equivalent).  Traditionally, board members have not been well-versed in technology or cybersecurity best practices.  And CISOs have generally lacked the business experience to speak to the board in laymen’s terms.  But communication is key, and it is imperative for board members to fully understand the security risks facing the company.  Expertise and insight are necessary for a board to make informed decisions related to cybersecurity.  By framing the discussions around the overall goals of the company both sides can come together to minimize cyber risk and prepare for any potential incidents.

The ability to quantify the financial risk associated with a cyber incident or technology failure, in terms of material impact to the business, is paramount.  Reputational harm, business interruption from ransomware attacks, and class action lawsuits are just a few of the potential consequences of a breach.  And unfortunately, the chances a company will experience a cyber incident are high.  Based on a recent survey, 80% of IT business leaders anticipate a critical breach or successful cyberattack within the year.  80%!

In early January, several regulators, such as The Cybersecurity and Infrastructure Security Agency (CISA), put the private sector on high alert for the potential increase of cyberattacks following the killing of a leader of Iran’s Quds Force.  CISA recommended organizations take a number of actions, including increasing organizational vigilance and confirming a reporting process is in place.  Although there is no specific threat at this time, critical infrastructure and large corporations have been targets in the past, and the threats are very real.  Most of the CISA recommendations are fairly basic, but without board and upper level management support, these types of things may fall through the cracks.

Most risk management consultants would tell a board that a culture of compliance starts at the top.  It needs to be a companywide concern, and everyone from the top down needs to be invested.  Senior management engagement is increasingly important to shareholders, investors, employees, and consumers, and when the board prioritizes cybersecurity they can ensure necessary policies, procedures, and endeavors are appropriately funded.

In case you forgot, cyber risk is business risk. 

Where to go from here

If you sit on a board and don’t know where to start, there are a number of resources available.    The National Association of Corporate Directors (NACD) offers some direction when it comes to this complicated topic.  They recognize that board oversight is practically a requirement in our current environment, and offer five core principles to focus on:

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

Compliance is not a one-time endeavor; it’s an ongoing discussion that takes time, resources, and commitment.  The risk profile of a company changes regularly as it relates to technology and cyber exposures, which necessitates a continuous cycle of evaluation and analysis.  That can seem daunting to some, but as former SEC Commissioner Aguilar alludes to, corporate boards that ignore cybersecurity do so at their own peril.

Emily consults on risk management and insurance solutions across a variety of industries, with a particular focus on technology, venture capital, and private equity risks. Emily previously worked as a cyber and technology insurance broker at one of the largest international brokers.  Prior to that, Emily was practicing law, focusing on professional liability insurance defense.  In addition to her Juris Doctor, Emily completed the Certified Information Privacy Professional (CIPP/US) designation and the Registered Professional Liability Underwriter (RPLU) designation.  She is licensed to practice law in Kansas and Missouri and has her Kansas insurance license. Connect with Emily on Linked here