No '911' for Cyber Security
Executive Board Cyber Exposure
Let’s get real. There’s no emergency number you can call after a cyber exposure or cybercrime. What you can do – and what’s essential to do – is to learn from companies’ mistakes and take proactive action, starting with the executive board.
As cyber security exposures are continuing to grow, the responsibility is shifting away from IT departments and into board rooms. In recent years there’s been an increasing trend in shareholder derivative cases and security class actions filed against directors and officers alleging claims for breach of fiduciary duty related to cyber data breaches. The Target breach is a great example of such a suit, as four derivative lawsuits were filed against Target in the aftermath of the November 2013 data breach. The suits named 13 of Target’s directors and officers as defendants and claimed breach of fiduciary duty and waste of company assets, among others. The suits are still pending, but it cost the job of the CEO and created major reputational issues for the company. In the past, many boards would claim they were unaware of the technology exposure. With the amount and size of today’s data breaches, that argument is impossible and irresponsible. This issue has grown so much so, that the U.S. Senate may take action – recently, the Cybersecurity Disclosure Act of 2015 was introduced to the Senate. This bill would require publicly traded companies to include in their SEC filings whether there’s a cyber expert on the board and if not, why an expert isn’t necessary.
One big challenge many boards face is the lack of expertise and the fact that they just don’t speak the “technology language” needed to provide proper oversight. Board members and company officers need to rely on, and listen to, their risk managers, IT and legal departments to understand the current risk issues, and then provide oversight and supervision to address them. Boards may want to consider having a non-voting member with cyber and risk expertise on the board to lend guidance or meet with the company experts multiple times per year. The point here is that this shouldn’t be seen as a once-a-year update to the board, but rather an ongoing discussion. Boards should lead in the development of a proper risk and cyber assessment that will identify cyber exposures, implementation of a comprehensive breach response plan and utilization of metrics to gage effectiveness of the programs. In most cases, a company’s directors and officers (D&O) insurance will respond to such lawsuits brought against directors and officers. However, there are exceptions potentially with the terrorism exclusion, and whether that applies to acts of hacktivism. This could be an additional issue for faith based, media, political and educational institutions.
For additional guidance on your board’s involvement with cyber security, chat with one of our experts.
- Cyber Liability E-Book
- Cyber Liability: Target's $19M Breach and Counting
- Hacktivism: A Growing Threat
- Anatomy of a Cyber Incident Response Plan
- Data Security Breaches Webinar Replay
ABOUT THE AUTHOR