“[B]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” SEC Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus, Speech at the New York Stock Exchange (June 10, 2014).
Since the financial crisis, corporate governance has increased the focus on risk management. And, in recent years, cybersecurity has increasingly become a key issue in risk management due in large part to the growing realization that most companies’ assets are digital, and that most systems are networked and connected to the Internet, leaving such assets subject to any number of targeted cyberattacks from increasingly sophisticated threat actors, including state actors with unlimited resources to conduct such attacks. In a recent study of 63,436 incidents investigated by Verizon Enterprise Solutions, 1,367 security incidents with confirmed data loss occurred in 2013. Some of those attacks were large-scale attacks on payment card systems, resulting in unprecedented exposure for the victim companies.
As the number of data breaches increases, and the occasional breach with millions of records impacted continues to receive widespread and far-reaching publicity, so does scrutiny surrounding those breaches. Such scrutiny includes increased regulatory interest in cybersecurity practices of companies, both before and after an incident. At the federal level, in the past several years, the U.S. Securities and Exchange Commission (SEC), in an effort to protect shareholders, has shown growing interest in cybersecurity issues, perhaps second only to the Federal Trade Commission (FTC). Such interest has manifested itself through cyber risk disclosure guidance, roundtable discussions, cybersecurity enforcement actions, speeches (including those specifically addressing cyber risk and the Board), and importantly, proactive staff examinations focused on cybersecurity practices of regulated companies.
In addition to increased regulatory scrutiny, companies are also facing a growing number of lawsuits related to data breaches and security incidents, including those brought by shareholders. In the past several months, two organizations victim to payment card breaches orchestrated by organized criminal groups have faced lawsuits seeking to hold corporate directors and officers liable for damages arising from these costly security incidents based on theories of breach of fiduciary duty and corporate waste.
In this era of increased cybersecurity scrutiny and litigation, it is imperative that directors educate themselves on the risks the company may face related to cybersecurity, as well as those risks that any director may face individually. Board members must also involve themselves in the company’s cybersecurity strategy before and after a data breach. This advisory will discuss the developing cyber risk landscape, the increased regulator interest in cybersecurity, particularly from the SEC, and the impact on potential director liability for cybersecurity deficiencies (or perceived deficiencies). This advisory will conclude with practical guidance to help board members navigate the all-too-unfamiliar cyber risk and cybersecurity landscape.
The Cyber Risk Landscape
The risk exposure for cyberattacks continues to rapidly increase. Once a risk involving one-time smash-and-grabs by intellectually curious teenagers, cyber risk has quickly evolved into cybercrimes involving deep and prolonged access to hundreds of systems by various advanced-threat actors with a variety of malevolent motives. This shift has dramatically altered the risk profile presented by a cybersecurity incident, and such an incident is now more likely to result in heavy financial losses, enforcement actions, and lawsuits against the company and its officers and directors.
Indeed, in the past two years the cost of a data breach to a company has increased. A breach costs on average $201 per record, totaling, on average, $5.9 million, including $3.2 million in costs associated with above-normal customer turnover, increased customer acquisition activities, reputation losses, and diminished goodwill. Above-normal customer turnover following a data breach has increased 15 percent over the prior year.
With the increase in the number of breaches and the number of consumers or individuals impacted comes increased interest from local and national media. More than 254 data breaches have been publicized in 2014, a 233 percent increase from last year. Media scrutiny not only contributes to the potential damages to a company’s reputation, but also increases the likelihood of claims against the company. For example, Target’s much-publicized breach has led to at least 30 bank cases, more than 80 consumer cases, and four shareholder cases, all of which have been consolidated into one multidistrict litigation proceeding.
Even where the incident does not involve an immediate notification obligation guaranteed to bring media attention, federal law enforcement’s expansion of the types of cybercrimes and bad actors it investigates and prosecutes criminally means companies should increasingly expect future publicity of previously unreportable events—for example, by being named as victims in criminal indictments. Recently, three U.S. public companies were among the victims named in the first-ever criminal indictment of state-sponsored actors for cyber espionage activities. The companies found themselves receiving scrutiny for not previously disclosing the cyberattacks after the Department of Justice (DOJ) indicted several Chinese officials for carrying out the attacks, which involved the theft of trade secrets and other data, to investors in filings. Although the companies have maintained that the thefts were not “material,” Attorney General Eric Holder stated when announcing the indictment that information “stolen in this case is significant.” These events create opportunity for increased investor scrutiny.
This increased attention is being felt in the boardroom. Following Target’s much-publicized 2013 data breach, proxy advisory firm Institutional Shareholder Services Inc. (ISS) urged shareholders to vote out seven of Target’s 10 board members for allegedly mishandling the data breach. In a report supporting the recommendation, ISS focused on “the board’s alleged failure to manage risk and protect Target from the massive data breach.”
However, investor reaction to data breaches is unpredictable. For example, following eBay’s May 2014 notice of a data breach affecting consumer information, investors appeared unfazed, leading some analysts to conclude that investors ignore these events. While investors may be apathetic to the continued stream of incident reporting, causing what many have labeled as “breach fatigue,” they certainly are likely to pay more attention to an enforcement action or private litigation regarding an organization’s security practices that is the result of proactive or reactive assessments of cybersecurity practices by regulatory authorities.
Increased Regulator Scrutiny
While previously an almost exclusive domain for reactive inquiries following a publicized security incident, recently regulators across industries at the federal and state level have increased their proactive inquiry of cybersecurity practices of companies. Examples include the Federal Communications Commission (FCC) (announcing a “new regulatory paradigm” in which the FCC will develop a risk assessment tool for the telecommunications industry), the Food and Drug Administration (FDA) (actively analyzing cybersecurity threats related to medical devices), and the New York Department of Financial Services (launching an initiative to assess insurance companies’ cybersecurity policies by sending out so-called “308” letters). Notably, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has launched an initiative to assess the cybersecurity preparedness of 50 registered broker-dealers and registered investment advisors, and focuses on:
the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
In conjunction with the announcement of the initiative, the OCIE published a sample list of requests for information that the OCIE may use in conducting the examinations—a rare disclosure. Notably, this list provides valuable insight into the types of inquiries that regulators may make and the types of practices that they may expect organizations to have in place related to cybersecurity matters.
In the midst of this proactive interest, the National Institute of Standards and Technology (NIST) finalized a year-long process to create a Cybersecurity Framework (“Framework”) in response to Executive Order 13636. Directly applicable to the 16 identified critical infrastructure sectors, the Framework is a voluntary tool for reducing cybersecurity risk that identifies beneficial cybersecurity practices and creates a common language for discussing those practices. Whether the Framework is truly voluntary for critical infrastructure entities is a matter of much debate. Recent regulator statements suggest that regulators will look to the Framework as instructive guidance and expect companies to be actively considering its relevance to their organization. Such a position was recently articulated by SEC Commissioner Luis A. Aguilar, who stated that “boards should work with management to assess their corporate policies to ensure how they match-up to the Framework’s guidelines—and whether more may be needed.” Moreover, while the broader adoption of the Framework outside of critical infrastructure sectors remains to be seen, the Framework foretells potential increases in the expectations for baseline security for organizations across the board.
Impact on Potential Director Liability for Cybersecurity Deficiencies
Because cybersecurity is in the spotlight in both the public and private sector, corporate directors and officers are expected now more than ever to be fully engaged in overseeing their companies’ cybersecurity protections and responses.
Important Legal Standards and Recent Trends in Cybersecurity Litigation
Lawsuits against individual directors and officers will most likely arise in the form of shareholder derivative actions and securities fraud class actions. In derivative actions, claimants typically assert that the directors breached their duties of care to the company. The duty of care is an oversight obligation that entails “a duty to attempt in good faith to assure that a corporate information reporting system, which the board concludes is adequate, exists, and that the failure to do so . . . may . . . at least render a director liable for losses caused by non-compliance with applicable legal standards.” Another possible derivative claim is that directors’ actions wasted corporate assets. For both claims, directors’ decisions are protected by the business judgment rule if the decisions are informed and made in good faith.
After a widespread data breach jolted Target Corporation in 2013, four derivative suits have been consolidated against Target’s directors and officers in the District of Minnesota. These cases allege breach of fiduciary duty, waste of corporate assets, gross mismanagement, and abuse of control. Under similar circumstances, a shareholder for Wyndham Worldwide Corporation filed a derivative lawsuit earlier this year after three data breaches allegedly resulted in the theft of more than 619,000 consumer payment card account numbers. The complaint alleges breach of fiduciary duties, corporate waste and unjust enrichment against certain directors and officers for failing to implement adequate security policies or update the company’s security systems, and for aggravating the damage by failing to timely disclose the data breaches in the company’s public filings. As discussed below, the claims in these cases stem from the directors’ and officers’ conduct before, during, and after the breach. Although Target and Wyndham are not the first to endure fall-out derivative litigation—TJX Companies dealt with similar suits arising from their 2007 data breach—the tendency for these cases to settle means there is little guidance from the courts in the cybersecurity context.
Securities fraud class actions are most likely to arise when a company’s stock price drops proximate to disclosure of a data breach. In these lawsuits, shareholders allege that they relied—to their detriment—on a company’s material misrepresentation, which in the context of a data breach could derive from, among other things, public statements about a company’s cybersecurity protective measures, its risk level for a breach, or the effect or pervasiveness of a breach once it has occurred. Liability in these cases is predicated in part on a showing that the misrepresentation was both material and made knowingly or recklessly. Securities fraud actions can also be asserted against individual officers who make or have authority over the misrepresentation, such as in press releases or SEC filings.
In securities class actions, courts may require a “statistically significant” decline in the company’s stock price. As a result, non-significant drops are less likely to give rise to securities class action suits. For example, when Apple Computer announced attacks on its system in 2013, it did not experience a significant stock price drop and was not sued in a securities class action.
On the other hand, where a significant stock decline occurs, companies should prepare for shareholder litigation. One example is Heartland Payment Systems, a bank card payment processing services company that suffered a breach from which 130 million debit and credit card numbers were stolen in 2009. Shortly after the data breach was disclosed, Heartland’s stock price declined, peaking at an 80-percent drop. The Heartland shareholders brought suit alleging that the company concealed a past cyberattack on its network and made fraudulent statements about the state of the company’s cybersecurity. The court dismissed the complaint, holding in relevant part that (1) the company’s failure to disclose a past cyber incident was not a material omission; and (2) plaintiffs failed to allege with the requisite particularity that Heartland’s directors and officers knew that Heartland’s security systems were deficient or that the prior cyberattack was not adequately addressed. Although Heartland is an example of the uphill battle faced by plaintiffs pleading federal securities fraud claims, courts consider a failure to disclose cyber incidents a material omission in light of recent SEC Disclosure Guidance, discussed below.
Increased Scrutiny of Disclosures
The growing risk of cyber incidents has the attention of both the plaintiffs’ bar and various regulators. As a result, the sufficiency of corporate disclosures is under the microscope and companies should be mindful of the increased risk of SEC comment letters, enforcement actions and private litigation that may arise in this context.
Although existing disclosure requirements do not explicitly mention cybersecurity, the SEC issued disclosure guidance in 2011 that explains the importance of incorporating cybersecurity issues into public disclosures. Cybersecurity disclosures must address both cybersecurity risks and the company’s history of breaches and attacks. When disclosing cybersecurity risks, the SEC’s guidance directs registrants to tailor their disclosures to their particular circumstances in order to “provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant.” Therefore, a boilerplate disclosure of general threats posed to cybersecurity will not be sufficient.
Additionally, past material breaches must be disclosed, potentially in addition to past immaterial and attempted breaches. The SEC guidance warns that “a registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.” Companies should consider the prevalence of cybersecurity in preparing their registration statements, periodic reports, and other required SEC filings, including disclosures of risk factors, MD&A, description of business, legal proceedings disclosures, and financial statements disclosures.
The SEC highlighted its continued focus on cyber disclosures by holding a Cybersecurity Roundtable in March of this year, during which a panel on public company disclosure reiterated the importance of director involvement with cybersecurity decisions. SEC Chair Mary Jo White commented during opening remarks that “[t]he SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protections, and disclosure of material information.” Thus, although it is uncertain whether the SEC will implement formal rules governing cybersecurity, disclosures on this topic are fully expected and companies should defer to the available SEC guidance and other commentary in the meantime.
Directors and officers should also expect that shareholders will look to the company’s SEC disclosures when drafting their complaint. For example, the Target shareholders point to a cybersecurity risk disclosure in Target’s 2012 SEC Form 10-K to assert that the directors and officers were aware of the risks posed and failed to take preventative measures to address those risks. Attempts to use a company’s risk factors to support a claim turn the safe harbor protections of the Private Securities Litigation Reform Act on their head and should be rejected as a matter of law. As the Target case demonstrates, however, directors and officers should review their cyber risk disclosures very carefully and vet them fully with those employees responsible for cybersecurity.
It is important for board members to be aware of their role in both pre-breach cybersecurity preparedness and post-breach oversight of the security incident and any follow-up on remediation measures.
Pre-Breach Oversight Responsibility
Cybersecurity and Corporate Governance
At the outset, and because IT and cybersecurity are particularly technical disciplines, board members need to ensure that they have at least a basic knowledge or familiarity with the technical language to be able to ask the right questions and become adequately informed of the issues. Commissioner Aguilar mentioned mandatory cyber risk education for directors or ensuring representation by directors with a good understanding of IT issues as two recommended practices. He further suggested that boards may improve their technical expertise by establishing a separate enterprise risk committee. Boards may also supplement their knowledge by hiring external consultants, but even if external consultants are engaged, the board should seriously consider creating a special committee to deal exclusively with cybersecurity and to ensure that the board is frequently and adequately briefed on cybersecurity issues. Identifying ways to overcome the obstacles presented by technical jargon and a technical discipline should be an initial first step for boards in tackling their pre-breach cybersecurity oversight role.
The board of directors should be particularly cognizant of its oversight responsibilities before a breach has occurred because shareholder plaintiffs are likely to target the strength and sufficiency of a company’s cybersecurity measures as a cause of their losses. Accordingly, the board of directors should periodically evaluate the company’s current cybersecurity procedures, protective measures and risk profile, and stay informed as risks, threats, and other issues arise. The board should also consider the strength of the current system with respect to the level of risk to which the company is exposed and whether the company is equipped to handle these issues internally or if an external advisor should be engaged. If cybersecurity is handled externally, the board should further evaluate the process and diligence involved in selecting the company’s vendors and other service providers (to the extent cyber issues are implicated) and the adequacy of employee training on these issues.
These considerations fall within the five key principles to govern oversight of cyber risks recently promulgated by the National Association of Corporate Directors, in conjunction with AIG and the Internet Security Alliance:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
In addition, given the challenges of responding to security incidents with far-reaching exposure, one additional key principle is that the board should ensure that a specific cyber incident response plan is in place, has been properly tested, and is ready for swift execution before a breach occurs.
Given the increasing frequency of cybersecurity incidents, directors should consider purchasing cyber insurance to assist with the potentially massive costs of a data breach. Indeed, the SEC’s 2011 guidance requires companies to describe mitigation techniques employed, including cyber insurance. General policies may not be sufficient to address the unique circumstances of cybersecurity, and some may have specific exclusions for data breaches. Stand-alone cyber insurance is tailored to cover security breach fall-out, such as the costs of responding to a breach, lost income and operating expenses, and losses arising from third-party claims. Additional services and coverage are also available, and like other types of insurance, cyber insurance coverage can vary in important ways. For example, some policies will only cover legally required notice to customers and will not cover voluntary notice. Another important consideration is whether the policy covers the cost of a post-breach forensics investigation and legal counsel.
Directors should also revisit their existing D&O policy with inside or outside counsel to assess whether it is sufficient to cover the risk of derivative claims and shareholder class actions incident to a breach. Depending on the size of the company and its inherent cyber risks, directors should take time to assess the various policies on the market to ensure coverage sufficient for the company’s unique needs. Prepare for Potential Use of Internal Policies in Litigation
Shareholders may also use internal guidelines and policies around cybersecurity against companies and their directors in litigation. In the Target derivative litigation, the shareholders allege that the very fact Target had cybersecurity policies and advisory committees was evidence that the board was aware of the risks of an incident and failed to fulfill their fiduciary duties and prevent a breach. Because the Target Audit Committee was charged with monitoring cybersecurity policies and procedures, members of the committee were specifically targeted for the breach of fiduciary duty claim. Thus, boards should review company policies with advisors to ensure they are thorough and up-to-date. The board should also confirm with appropriate company management that the policies are being implemented and followed.
Consider Director Exculpation Clauses and Indemnification Agreements
Director exculpation clauses and indemnification agreements are important protections against personal liability for private suits arising from cyber incidents. An exculpatory provision in a company’s corporate charter or bylaws can preclude certain cybersecurity claims altogether, which can protect directors not only from personal liability, but also from the stress and expense of lengthy litigation. Indemnity agreements are equally important because they can provide for advancement of defense costs during litigation and cover any settlements or monetary judgments when the case concludes. Therefore, directors should check the language of their exculpation clauses and indemnification agreements to ensure that cybersecurity fallout litigation is protected. Directors should bear in mind that exculpation clauses are typically limited by state law to duty of care violations and will not cover acts in bad faith. Indemnification agreements can vary widely in their coverage and also sometimes have exclusions for “bad” acts.
Post-Breach Oversight Responsibility
Although recent cybersecurity lawsuits are focused on the systems and controls that failed to prevent a breach, a company’s response to a material breach can give rise to liability in both a disclosure and a due care context, and should thus be treated with equal vigilance. For example, public comments made after a breach about the state of a company’s security or the incident’s repercussion could later be the subject of a securities class action. Similarly, any alleged failure of oversight that could have caused or exasperated losses to the company could give rise to a derivative action. The board should take care to understand the incident response plan so that it may oversee its proper implementation. Indeed, during a response to a cybersecurity incident of any legal significance, the board of directors needs to become engaged and involved in directing the response and approving any proposed remediation plan. Moreover, understanding the nature of this role in advance of a breach will go a long way to effectively carrying out these oversight responsibilities in the wake of a cyber crisis firestorm.
Cybersecurity has become a spotlight issue, one which corporate directors and officers are expected to consider and manage. The increasing number and sophistication of cyberattacks has resulted in increased costs and increased scrutiny, and both regulators and shareholders have demonstrated a keen interest in cybersecurity issues. Federal regulators, such as the FCC, FDA, and SEC, and state regulators are proactively inquiring into cybersecurity practices of companies. This will likely expand the scope of companies that should consider adoption of the NIST’s Cybersecurity Framework. At the same time, private litigation has also been a growing avenue for addressing cybersecurity issues. Shareholder derivative actions and securities fraud class actions assert claims against directors and officers for breaches of the duty of care and waste of corporate assets stemming from cyberattacks. Regulator and shareholder interest also means increased scrutiny of disclosure statements, which now must address both cybersecurity risks and the company’s history of breaches and attacks. In this landscape of increased exposure and increased scrutiny, directors and officers must be particularly cognizant of the oversight responsibilities they have for the company’s cybersecurity.