Five years ago, few would have said cyber threats were a board-level issue. Five years ago, saying cyber exposure was the responsibility of the board of directors was like saying the choice of laptop vendors or janitorial service was a board-level issue. Sure, you expect that the managers you’ve hired would make prudent decisions in these areas, but it certainly wouldn’t be something for precious board meeting time.
But all that has changed. The way we do business has fundamentally changed, and with it, the threat of a cyber security breach looms. As a consequence, cyber liability is now a board-level issue.
In this post, we’ll look at the latest case that spotlights cyber risk management as a board-level issue, and consider some actions boards can take.
Target: The Latest Poster Child for Ds and Os v. Cyber
In Fall 2013, hackers found their way into Target’s network, and once in, reports say there was little to deter them from uncovering massive amounts of customer data, including credit card and pin numbers. From a New York Times report:
Entering through a digital gateway, the criminals discovered that Target’s systems were astonishingly open — lacking the virtual walls and motion detectors found in secure networks like many banks’. Without those safeguards, the thieves moved swiftly into the company’s computer servers containing Target’s customer data and to the crown jewel: the in-store systems where consumers swipe their credit and debit cards and enter their PINs.
The Times reported in January that the hackers gained access to “as many as 40 million Target customers, and personal information, such as phone numbers and addresses, of as many as 70 million more.”
Kevin LaCroix at the D&O Diary blog made available the first and second complaints in the case of Robert Kulla and Maureen Collier versus several directors and officers of Target Corporation. From DandODiary.com:
Basically, the two complaints alleged that the defendants were aware of how important the security of private customer information is to customers and to the company, as well the risks to the company that a data breach could present. The complaints allege that the company “failed to take reasonable steps to maintain its customers’ personal and financial information,” and specifically with respect to the possibility of a data breach that the defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.
After Target, it’s obvious there is a clear and present danger in cyber, and that it is, in fact, a board-level issue. And, to be clear, Target isn’t the first time Ds and Os have been sued for a cyber breach.
There are several additional cases, as illustrated in the graphic below, including Wyndham, Heartland Payment and others.
Upholding Fiduciary Duty with Cyber Risk Management
In the Wild West that is currently cyber risk management, private and public sectors are scrambling to create processes to address it. This world of rapidly evolving practices makes the board’s role as a fiduciary for the shareholders especially tough.
Because there is no clear, definitive answer on what exact steps a company should take when it comes to cyber risk management, it’s a good idea for the board to engage with management on the need for cyber risk management, and understand what the company is and is not doing in this regard.
Directors (and management) don’t have to be perfect, but they do have to engage in a demonstrable process that is reasonably designed to protect the company from cyber threats. Documenting this process in the board minutes is also a good idea.
After Target, it is pretty clear that the board of any company that suffers a catastrophic cyber breach in the future will be sued by its shareholders. In the event of a lawsuit, the court will want to look at the process put in place by the board.
The minutes should reflect that the board routinely and systematically made inquiries about cyber risk, followed up on any open items and demonstrated prudence in exercising their fiduciary duty. If there isn’t enough in the record to show that the board followed a reasonable process, then the court will find it tough to dismiss case.
Unlike some, I’m not suggesting that you need a cyber expert on every board of directors. I’m also not suggesting that board members get into the weeds and start verifying that their McAfee software, for example, is up-to-date and patched. What I am suggesting is that the cyber issue is just like other areas of the business where risk needs to be identified and managed.
First, perform a risk assessment of your company’s practices, starting with the following questions:
- What is the most likely source of a cyber-threat for us – is it a competitor, rogue employee or criminal individual?
- Who is responsible for cyber security at the company?
- Has a cyber risk assessment ever been done? Who did it?
- What kind of data do we collect? How long do we store it?
- Where is our data physically located?
- What data cannot be restored once taken?
- What data can take longer to recover?
- What training do we currently provide our employees on password management, public Wi-Fi use and social media participation?
Cyber Insurance Considerations
After a company assesses its cyber risk, coming up with a mitigation plan is the next step. Transferring some of the financial risk to an insurance company through a cyber liability policy will make sense in many cases. This is particularly true for businesses that have a risk of exposing sensitive personal data.
Though not on the radar in a significant way yet, you may want to be watchful for language in a D&O insurance policy that could exclude anything related to D&O suits that may arise as a result of a cyber breach.
Of course, I don’t expect a D&O insurance carrier to respond to the direct first—and third—party costs that arise from a cyber breach, but I do expect coverage for the resulting breach of fiduciary duty suit or securities class action suit.
Cyber Risk and The Board: Where to Next?
We’ll no doubt continue to see boards struggle with what is the appropriate amount of engagement in cyber risk management. And, without a doubt, we will see more situations on the scale of Target, if not larger.
What should a diligent board member do? Stay up to speed on the events as they evolve—no one on the board should take a pass when it comes to staying educated on cyber issues.
Reading headlines is a bare minimum, obtaining briefings on why the headline you just read won’t happen to your company is a must. Also, schedule regular times for your management team to present to the board what is being done when it comes to cyber risk management, including what more they would be doing if they had more budget.
In the end, your company may well end up in the headlines for a cyber breach. If so, you’ll surely hope that it wasn’t a type that was wholly preventable if only the board had asked the right questions.
The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: email@example.com.