This is the first of a three-part series on the implications of cybersecurity threats on boards of directors.
Now, more than ever, corporate boards face an immense challenge to ensure that their companies are prepared for cybersecurity threats before they occur. It is not question of if a corporation will be hit by a cybersecurity incident or data breach, but when.
The Existing Cybersecurity Landscape and Associated Risks
The landscape that corporate boards face has never been more treacherous, with class actions and derivative lawsuits waiting to be filed, as well as very proactive regulatory and governmental oversight – all in the absence of an overarching federal law that preempts the myriad of over 47 different state notification laws that apply to the cybersecurity area. (See 4 Steps Boards Should Take Toward Compliance 2.0, Corporate Counsel, May 26, 2015, Donna Boehme and Michael Volkov.) “Boards are under extraordinary pressure to perform. Aggressive oversight by the U.S. Department of Justice and regulatory agencies, along with activist shareholders and class action plaintiffs’ lawyers, have forced corporate boards to respond to risks and embrace new solutions.” (Id.) Indeed, cybersecurity is now ranked by Travelers Business Risk Index as the No. 2 biggest threat that companies face – up from No. 5 last year. (Corporate Nightmares: Identifying Your Biggest Risks, Corporate Counsel, May 27, 2015, Marlisse Silver Sweeney; See also Cybersecurity Boardroom Implications, National Association of Corporate Directors (“NACD”), https://www.nacdonline.org/Resources/Article.cfm?ItemNumber=8486) (See also House Ok’s Bill To Shield Cos. Sharing Cyberthreat Info, Law360, April 22, 2015, Allison Grande.)
Lest the magnitude of the cybersecurity risk be underestimated, data breaches are now on track to cost companies $2.1 trillion globally by 2019. (Data Breaches on Track to Cost Companies $2.1 Trillion, Corporate Counsel, May 14, 2015, Sue Reisinger.) And it is more critical now than ever for corporate boards to be keenly cognizant of the fact that “’security is not just a legal issue; it’s not just an IT issue.’ Instead . . . every in-house counsel should engage boards and the CEO to make sure that it’s an ‘organizational priority.’” (Id.)
Boards should not “count on luck but rather on a plan that anticipates where a security breach might occur, what the target and magnitude might be, and how it can be effectively contained.” (Is Your Board Focused on Cyber Preparedness?, Director Advisory, February 2014, Nels Olson, Aileen Alexander, Jamey Cummings.) The potential damage from a data breach can be far-reaching and crippling: disruptions in crucial operations, destruction of critical data, and reputational damage, among other things. (Id.) “Smart boards ensure their companies are continually on alert, preventing those breaches they can and ready to spring into action when something untoward occurs. . . . You don’t want to waste precious time scrambling when there’s a breach, so make sure the board had ongoing line of sight into security-related budgets, company policies, and leadership roles and responsibilities in case there is an event.” (Id.)
Even the SEC has weighed in on cybersecurity, increasing its scrutiny of companies’ preparedness (or lack thereof) in the area of cybersecurity. In April 2014, the SEC announced that its Office of Compliance Inspections and Examinations (“OCIE) would thereafter be conducing examinations of registered broker-dealers, as well as investment advisors, focusing on areas of cybersecurity preparedness. (Regulator House Calls: Cybersecurity Examinations and Audits, Corporate Counsel, May 4, 2015, Dixie L. Johnson and Ehren K. Halse.) In early 2015, the OCIE released the results of examinations that it had conducted of 57 broker-dealers, and 49 registered investment advisors, together with guidance to investors relative to how to best protect their online brokerage accounts from fraud. (Id.) These recent inspections and audits by the SEC demonstrate that regulators are becoming increasingly proactive in monitoring companies relative to their cybersecurity efforts, and it is imperative that corporate boards take heed.
During his remarks at the June 10, 2014 “Cyber Risks and the Boardroom” conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar made the following comments, including comments focused specifically upon the duties of corporate boards:
“Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.
In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company form cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
(Click here for more information) (Emphasis added)
In his November 14, 2013 testimony before the Senate Committee on Homeland Security and Governmental Affairs, FBI Director, James Comey, echoed the concerns expressed by Commissioner Aguilar: “[R]esources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” (Click here for more information).
Next week, the second part of this series will address the litigation risk facing boards in connection with cybersecurity risks.