The recent barrage of high-profile corporate cyberattacks demonstrates that cybersecurity weaknesses pose a serious corporate threat that can inflict tremendous costs on businesses.
Cybercrime costs the world economy an estimated $400 billion each year, and losses to U.S. companies account for more than 25 percent of this global total, according to a report by the Center for Strategic and International Studies.
No business with a digital presence is immune to cybersecurity risks, which include:
- Reputational damage and loss of goodwill
- Penalties for non-compliance with data privacy regulations
- Litigation risks, including consumer class actions and shareholder derivative litigation, among others
- Lack of appropriate insurance coverage for cybersecurity incidents
The recent attack on Sony Pictures and the devastating impact it has had on Sony’s operations provide a frightening example of the risk facing all businesses, even those that might believe themselves to be unlikely targets. As SEC Commissioner Luis A. Aguilar recently noted: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
It would be unreasonable to expect all corporate directors to be adept at the highly-technical aspects of information security. At the same time, directors’ fiduciary duties to oversee the company’s affairs and monitor risk extend to cybersecurity.
The following steps should provide a framework to ease this tension.
1. Designate Cybersecurity Point People and Obtain Adequate Expert Support
Boards should appoint a set of directors responsible for cybersecurity, and seek expert guidance. In some corporations it may be possible to appoint directors with particular cybersecurity expertise. Other companies may need to rely on outside experts to train the board, or to delegate cybersecurity issues to a dedicated committee. There is no one-size solution, and boards will need to consider their particular resources to ensure they possess the expertise required to effectively oversee the company.
2. Proactively Asses Cybersecurity Weaknesses
Companies should routinely perform risk assessments, utilizing experts where needed. This should include assessment of data system vulnerabilities, as well as physical and cryptographic security measures. It should also include consideration of what information companies collect, how it is used, and whether companies are creating unnecessary risk by over-collecting data or storing stale data beyond its useful life.
3. Develop and Practice a Data Breach Response Plan
When responding to a cyberattack, time is of the essence. Having a well orchestrated response plan is critical to mitigating the legal and economic fallout from a data breach. A delayed response can increase the risks of reputational damage, loss of consumer confidence and financial losses. More importantly, federal and state regulators are aggressively seeking to penalize companies that do not promptly react to cybersecurity incidents.
4. Establish a Clear Chain of Command
In the wake of a cyberattack or data breach, there will likely be competing objectives and concerns among corporate stakeholders. For example, brand management or public relations concerns may conflict with disclosure requirements. Establishing an internal cybersecurity response team with input from critical business units and a clear allocation of decision-making authority will minimize internal disagreement, confusion and delay in the event of a cybersecurity incident.
5. Reevaluate Insurance Coverage
Losses from cyberattacks and data breaches may not be covered by customary commercial insurance policies. Director & Officer insurance policies may offer better coverage for such losses in certain contexts, but this shouldn’t be assumed. To avoid potentially expensive coverage exclusions, boards should reevaluate: (1) current insurance policies to determine whether cyberattacks and the cost of remedial efforts that follow are excluded, and (2) whether additional cybersecurity-specific insurance coverage is warranted.
6. Continuously Monitor Business Practices and Risks
Criminals, hackers, and even foreign governments are constantly adapting to cybersecurity protections and adopting sophisticated techniques to circumvent the most advanced security measures. Corporations need to be similarly nimble in adapting to the ever-changing nature of the threat. Boards, or their delegates, should establish regular and systemic risk review procedures to stay ahead of the threat.
The scope of cybersecurity-related ramifications to corporations and their boards is still unfolding. Customer, shareholder, and regulator responses to cyberattacks are evolving as incidents continue to increase in severity. Although there is no silver bullet, a board that is active in implementing controls to prevent, detect, and remediate cyberattacks is well-situated to defend a variety of future claims.