Leaders have a duty-of-care for preventing, mitigating and transferring the risks of a cyber attack.
Large
enterprises like Target, Sony and Home Depot may have grabbed headlines for recent
cyber attacks, but small to mid-size businesses are the most exposed and the
easiest prey. That’s
because small businesses have fewer resources and may falsely believe that
hackers only target large organizations. Last year, small organizations
accounted for 85% of data breach claims,[1] and
breaches of less than 10,000 records cost on average $4.66 million.[2]
As if such frequency
and severity were not enough to cause concern, cyber liabilities now extend
from the computer room to the executive leadership up through to the boardroom.
The boards of Target, Google, Wyndham were sued after recent data breaches and
c-suite officers of these companies were fired for not anticipating and
preventing breaches – all because of lack of preparation for or inadequate
response to data breaches. Such lawsuits and firings could be catastrophic for officers
and boards, if they do not have enough cyber insurance as well as directors and
officers (D&O) coverage to protect the firm and indemnify themselves.
“Executive leadership of every company regardless
of size, has a ‘duty of care’ toward all stakeholders. As a result, the responsibility
for preventing or responding to a cyber breach ultimately sits upon their
shoulders. And that responsibility creates personal liability,” said Arturo
Perez-Reyes, Cyber and Technology Leader and Senior Vice President, HUB
International. “If a company is sued by any stakeholder, and it doesn’t have
enough capital or insurance to protect the firm or indemnify the C-suite and
board, then they could lose their personal assets, like homes, college funds, retirement
accounts, etc.”
Start from the top
Companies often
start at the bottom with operational efforts to minimize losses by simply
buying preventive controls like firewalls or anti-viral wares. Even fewer firms
set up mitigation controls like continuity and disaster plans or incident response
plans, and even fewer have ever tested them or transfer cyber risks in
contracts or via insurance.
Consequently, many
firms would not meet a general “reasonableness” standard for preparedness like the
latest NIST or FTC advisories suggest. As a result, boards and officers could
be made to look negligent in a court of law.
Boards need to do three things. 1) Check to
make sure that your D&O coverage is adequate. Does it have exclusions for failure-to-maintain
underlying insurance or specific carve outs for cyber-risks? The former are
common; the latter new. 2) Check to make sure that the firm has cyber coverage.
Most firms do not. And many policies are not worth owning. Hence you need to
consult a qualified cyber insurance broker like Hub with dedicated experts for
insurance placements, incident-response and claims handling. 3) Exercise a duty-of-care
that shows how officers of the company avoid, prevent, mitigate and transfer cyber
risk. Then document evaluations and decisions.
Officers must assist the board in its evaluation
of cyber risks by: 1) Getting on the right side of the law. Study relevant
regulatory regimens--state, federal and international laws that might apply to your
physical and electronic stores of personally identifiable information (PHI) or
personal health information (PHI). 2) Adopt the latest best practices advocated
by the FTC, NIST, industry groups or regulators.[3] 3)
Evaluate the potential for unexpected losses and place sufficient
insurance.
Operations Personnel need to execute
plans. The best hackers do not hack systems or wares, they hack people.
These “wares”
are powerful enough to bring down the most sophisticated nation states. They
are sometime designed to steal; other times to destroy. What these tools can mean to employees is
pillaged bank accounts. What they mean to employers is losses of money, trade
secrets, and competitive advantage.
Putting it all together
If the officers
and board members do all of the above well, they not only defend the firm, they
defend themselves. For example, in the Wyndham
v. Palkon decision a New Jersey federal court dismissed a shareholder claim
alleging that the company’s board and directors did not take adequate steps to
prevent an information breach after Wyndham executives provided detailed
information of 14 quarterly meetings prior to the attack where cyber security,
policies and security enhancements were discussed. In addition, they showed
that the company’s audit committee had investigated the breaches and hired a
tech firm to recommend security improvements.
The lesson is
clear. Any size company whose executives pro-actively work together and document
their steps at managing risk both before and after a cyber attack will be able
to show that they have exercised their responsibility for stakeholders.
“It is more important than ever for management
teams to work together – from the C-suite to the board and operations
personnel,” said Michelle Lopilato, senior vice president, Director of Cyber
and Technology Solutions. “Taking the necessary steps to avoid, prevent,
mitigate and transfer new and emerging risks will ultimately safeguard the
company and its executives.”
[1]
NetDiligence Cyber Claims Study 2014
[2]
Page 10, Ponemon Institute and IBM: “2015 Cost of Data Breach Study-US”
[3]
For example, see the latest FTC publication: “Start with Security: A Guide for
Business”