Cyber attacks continue to be one of the most concerning risks to businesses. COVID-19 is only exacerbating those risks. Add to that the D&O litigation that happens after a cyber event, and you have a recipe for disaster for boards of directors. That is, unless they make cyber risk a priority now. It’s true that many boards have become more involved in cyber risk. But still a great many view it solely as an IT issue. To ease director liability, all boards need to put cyber risk front and center as part of their corporate governance.
Slowly, Boards Are Getting More Involved in Cyber Risk
Slowly but surely we are seeing more board involvement in cybersecurity, and COVID-19 has sparked even more interest on the part of the board to address cyber security risks. PWC’s Digital Trust Insights Pulse Survey reports that as a result of the crisis, 50% of CISOs interacted more frequently with their boards.
According to PWC:
Boards and C-suite executives, who in the past may have wondered about the return on investment for all the cybersecurity personnel, solutions and architectures, don’t anymore. The value of their cybersecurity expenditures over the years—and of the CISO’s leadership—became crystal clear during this crisis.
And with good reason. The FBI reports cyber attacks are up due to the pandemic. And there’s a long list of cyber threats popping up as a result of the shift to working from home. Bad actors are always opportunistic and have turned their focus on the path of least resistance—hacking Zoom is just one example.
Still, “cyber fatigue” (the exhaustion of trying to keep up with the latest attacks and security lingo) is a real issue for some boards. As a result, boards may delegate cyber risk entirely to the management team while they focus on what they believe is more important.
This is a mistake. Cyber threats are an enterprise risk management issue and effective governance is a board’s responsibility. Boards need to understand their companies’ cybersecurity risk and preparedness.
In January, the Securities and Exchange Commission echoed this sentiment in Cybersecurity and Resiliency Observations in which it stated that a top-down approach is key to managing cyber risk:
Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.
Remember that directors face increased liability when they do not make cybersecurity a priority. Take Yahoo’s cyber breach as a cautionary tale, where directors and officers agreed to pay $29 million in a breach of fiduciary duty derivative lawsuit.
And Yahoo is just one example of derivative suits brought against directors and officers after a cyber event. Target, Wyndham, and Home Depot are more examples. Bottom line: When a cyber incident happens, people will ask what the board was doing to prevent it.
Cyber Governance: A Simple Action Plan to Start
Even though the numbers show an increased interest in cyber at the board level, a large percentage of boards still have a long way to go. So what can boards do now to help manage cyber risk?
- Ensure adequate cybersecurity governance is in place.
- Be sure to explore risk transfer options like cyber insurance.
Cyber Security Governance
When assessing your approach to cybersecurity governance, it might be useful to turn to the SEC’s Cybersecurity and Resiliency Observations publication. Here, companies can explore the SEC’s guidance on:
- Senior-level engagement
- Risk assessments
- Policies and procedures
- Testing and monitoring
- Continuously evaluating and adapting to changes
In addition, we advise boards to consider strategic questions like:
Have we performed a data mapping exercise? Personally identifiable information (PII) is a changing definition that can range from IP addresses all the way to social security numbers and everything in between. Prior to knowing what data to secure, it is imperative to understand where key data assets are collected, stored, and handled within the organization.
Have we conducted an independent cybersecurity assessment? This risk assessment from an outside consultant can give you valuable insight into the security posture of the company as well as areas of improvement that need to be addressed, such as enabling multi-factor authentication or employee awareness training.
Do we have an incident response plan? All companies need a cyber incident response plan that allows them to respond to a breach or network security failure. Boards should inquire about whom within the organization owns the response plan, whether the appropriate stakeholders have been identified, and how often the plan is updated and tested. Boards also need to know their role in the plan and when their engagement is required should an event occur.
What processes are in place for managing vendor risk? It’s important to understand both the vulnerabilities presented by and the security of third-party vendors, too. Both LabCorp and Quest Diagnostics suffered a breach that exposed millions of PII records via a third-party payment processing vendor. A vendor security assessment can help.
How do we stay compliant with privacy regulations? With the European Union’s General Data Privacy Regulation and US states implementing their own privacy legislation, like California’s Consumer Privacy Act, management needs to stay abreast of the latest legislation. Management also needs to implement processes to stay on top of the most recent requirements applicable to their company. Boards should ensure the appropriate protocols or advisors are in place to do so.
Sound governance includes a discussion on how valuable insurance is to risk mitigation. So a board should absolutely ask questions about transferring cyber risk.
If your company is not investing in cyber insurance, you’ll need to discover, with the help of a specialized and seasoned broker, exactly what kind of value cyber insurance can provide.
In general, cyber insurance can cover everything from:
- Network security (can include both first-party and third-party costs)
- Privacy liability (can include both first-party and third-party costs)
- Network business interruption
- Media liability
- Errors and omissions
You’ll also want to better understand how to establish the appropriate limits for the insurance program, remembering that one size does not fit all.
The right cyber program is personalized to each company and the factors assessed include specific cyber risks, current security tools, and the appetite for risk.
For more on this topic, see our Guide to Cyber Liability Insurance.