The frequency of cyber breaches, the reputational and financial effects of breaches, and their prevalence have become manifest. As I write this column, the front page of the Wall Street Journal is dominated by a mock FBI poster: “Wanted: Conspiring To Commit Computer Fraud: … Wang Dong (‘Ugly Gorilla’), Sun Kailiang (alias Jack Sun) …” The poster included three other PRC nationals, all indicted by a federal grand jury for criminal hacking.
It is easy to hack. Available electronics are more sophisticated than in the past and are commercially available. You need not be an expert; all you need is evil intent and a few bucks to buy hardware.
There are remotely accessible devices the size of a cigarette box that can be left in an office and can download electronic activity. There are small devices that can plug into a USB port and remotely suck out the contents (one is cleverly called “USB Rubber Ducky”).
Businesses lag in taking prophylactic steps. It is common knowledge that you cannot prevent the hack; you can only discover, assess and remediate it. The simple precaution of mapping your network so that you know where your data is located and how it is accessed, a process helpful in discovering and remediating a hack, is not universally undertaken by businesses.
I was recently given a “tour,” by an attendee with a camera, of the last “Defcon” hackers’ convention in Las Vegas. Admission is by cash without record of who you are. It is assumed that the hacking community is in attendance.
The event has workshops on how to break into computer systems, how to hack cellphones, and an annual hacking contest much like “capture the flag” in which teams compete to capture an electronic flag by taking over a hardened server.
The problem is not simply internal, because companies link to third parties that provide services, stock shelves, provide parts as needed, and otherwise are integrated in our business to increase efficiency. Every one of those linked systems is a doorway into our own company.
The corporate board
Enterprise risk management is understood to encompass cyber security, and cyber security is understood to involve not just the IT function but also the entire enterprise, with software, data and hardware spread throughout a company.
Directorial supervision of cyber security is slippery. Boards must supervise, not execute. Boards need to ask probing questions to make sure that management prompts the company to meet acceptable standards.
How much must a board of directors know, however, in order accurately to supervise cyber security? What, if any, outside expert resources should a board invoke both to do a better job and protect itself?
Under Delaware corporate law (and many other corporate statutes), a board is protected from liability by reliance on advice of outside experts in monitoring company performance.
What is the scope of directors’ duty to monitor? The leading Caremark case in the Delaware Chancery Court held that “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and a failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.”
The case is interpreted as requiring directors, in order to fulfill their duty of loyalty, to adequately monitor the operations of an enterprise. The doctrine is rarely invoked, but forewarned is forearmed. Who wants to be the directorial poster child held liable for failure to act in the face of a major risk that is in the newspapers every day?
The National Association of Corporate Directors recently issued a report addressing the role of boards in cyber security. NACD noted that generally “expertise is lacking at the board level” when it comes to IT matters, and that a demand for IT expertise has not been manifest in adding new directors. NACD notes that greatest director dissatisfaction with quantity and quality of information provided to boards fell in the area of information technology.
The average age of public company directors is increasing. One source of new directors, sitting CEOs, has become less available; many companies are prohibiting CEOs from sitting on outside boards, or limiting their participation to a single board, which in turn has caused recruiters to rely more heavily on older, retired persons. This dynamic may make more logical the addition of IT-savvy younger directors.
How does a board get to be cyber literate? Who is competent to advise a board on the inter-relationship between cyber security and business risks? Is it appropriate to turn to one’s audit firm (assuming PCAOB standards do not prohibit the audit firm from providing this ancillary service) or outside advisors?
Directors, first and foremost, must understand that they need not become personally expert in cyber security, nor do they have the time to do so. That means boards must deal through management.
But not becoming expert is different from being totally ignorant. Boards as a whole should be addressed by outside consultants in cyber security, perhaps at a retreat (where there is enough time to ask questions and integrate ERM ramifications).
Two actions initially can be requested from management. The first is a summary of procedures now in place. The second is to be assured that a data map has been prepared so that experts can help prevent or mediate breaches.
Boards must understand the cyber connections between their enterprise and supporting companies, whether suppliers or customers. Inquiry should be made as to the manner in which security systems of these vendors and customers have been hardened.
The consensus seems to be that you cannot protect all information. It is reasonable to request management to identify key information and to undertake means and limitations of access to protect that information. These targets, sometimes referred to as “crown jewels,” may be business strategies, technology, sources of supply or anything else that is vital.
Since directors must assume that hackers will get into their company’s system, their company must design a strategy that assumes hackers are already “inside.” What does that mean? The answer depends on the company’s characteristics, and an appropriate strategy can be generated only by communication between IT experts and management.
However, directors should inquire as to whether the process is ongoing and should ask for a “top level report” as to the approach undertaken.
Part of ERM is attempting to forestall and limit the intrusiveness of a breach, but since the assumption is that breaches will occur, attention also must be addressed to a breach’s impact on business.
A strategy also should recognize that cyber breaches are not one-time events; NACD cites a recent study that the average U.S. company suffers two successful cyber-attacks every week. In the event of a data breach, there must be internal and external response plans in place.
Internal: Directors should determine that there are robust procedures by which the source and nature of a breach are identified. Outside consultants should be identified to be available when called on. The board should walk through different cyber-attack scenarios with respect to different key elements of the business (technology, customer data, business strategy).
External: Public outreach also must be planned in advance. What government agencies must be contacted? Is your PR response organized? How do you communicate with your shareholders and customers?
For public companies, public disclosure under SEC guidance is essential. SEC disclosure is not limited to post-breach scenarios; up-front disclosure of cyber risks and possible business ramifications need to be disclosed.
Nothing is worse than having an SEC disclosure, approved by top management, filed with the SEC, and then the board does not address prevention and remediation of those risks. Indeed, sometimes the robustness of disclosure can itself constitute a checklist of board inquiry.
The human factor
Trusted insiders still represent the largest risk for cyber leaks. Think Snowden. I have seen no learning that suggests a method for a board to minimize that risk.
Another human factor is intriguing, however. Employees travel all the time. They bring with them portable information devices, including BlackBerries, smart phones, I-pads and computers. Many of the devices provide access into the company. Even if there is no such access, a device itself may carry information related to the purpose of the travel and, perhaps, left behind from prior undertakings.
A board might inquire as to the manner in which the business regulates data in the hands of trustworthy individuals. The problem is as simple as leaving a computer on a backseat of a car. It also is as subtle as carrying a cellphone into a meeting overseas, which sophisticated electronics remotely hack. Does an enterprise have policies that address these simple but significant risks?
Short of your board attending the next Defcon conference to learn about the problem from the inside, boards must work through management and expert outside advisors in order to meet their fiduciary obligations in a risky environment.
Stephen M. Honig practices business law at Duane Morris in Boston.