— REM song title
We enter now into the mature phase of considering cyber risk. We have seen the costly devastation most recently caused by cyber hacking of movie companies (Sony), retailer credit card records (Target) and health care records (Anthem).
We are deluged with articles and seminars telling companies and their boards how to respond. We are assured that you will be hacked, there is no escape, and it will happen over and over.
A recent program mounted by National Association of Corporate Directors/New England heard law enforcement observe that the FBI is offering a reward for a cyber thief of $3 million —$1 million greater than for the capture of notorious mass-murderer Whitey Bulger.
Management has laboring oar to address company exposure. Tools now are well-identified. You may start with the 2014 “Framework” established by the National Institute of Standard Technology, a nonregulatory agency of the Department of Commerce. NIST was responding to a 2013 executive order seeking establishment of voluntary cyber security standards to protect the country’s business infrastructure (www.nist.gov/cyberframework/index.cfm).
The Framework lists five functions for companies to address (identify risk, protect against it, detect incursion, respond and recover) and suggests methods for moving toward increasingly robust “tiers” of preparedness.
There is a plethora of consultants to analyze vulnerabilities, implement protections, train staff and install telemetry devices to monitor system end-points and servers to detect suspicious activity. Larger businesses will require sophisticated internal staff, but outside guidance is advisable for virtually all enterprises.
The Department of Homeland Security, empowered by the 2002 Homeland Security Act, operates 16 “centers” providing industry-specific cyber security information and may be available to consult directly with businesses.
In event of cyber breach, recourse can be to the FBI, the Secret Service (for financial crimes), and Immigration and Customs Enforcement (for IP theft).
Management must establish an internal ERM program addressing cyber risks. Literature abounds with specific recommendations. Appropriate outside experts need to be hired to assist in identifying where your data resides (data mapping), who has access, and whether employees are adequately trained to protect the system. Inquiries should be made whether people with access to certain systems are limited to those who “need to know.”
As part of data mapping, key information (the company’s “crown jewels”) should be identified, and special protection and limited access should be provided for this information. Crown jewels should be isolated from links to other, less protected parts of the company’s system. Segregation of systems may be difficult because connectivity creates efficiency, but attention should be given to minimizing linkages within business units, and with operating functions that cut across business units.
Companies should address cyber security of employees working from home and of remote access to the computer system. Individual training and mobile device security should be established. Physical security of removable media (discs, thumb drives) should be addressed.
Management should periodically review the entire cyber security system, testing (by outside experts) to see if a breach can be achieved. For larger organizations, with customer or credit or health data, testing is indispensable. There should be periodic review of the integrity of firewalls, establishment of encryption practices, and periodic rotation of sufficiently complex passwords.
A response team should be established before breaches occur, and that team should dry run different kinds of breaches, addressing all relevant cohorts: people to remediate the breach; people to give notice to parties whose data may be compromised; people to provide ongoing support for parties with compromised data, including phone support, help desks, perhaps company-paid credit monitoring; and people to recover or reconstruct lost data.
A “legal” team, headed by in-house or outside counsel, must notify insurers, governmental agencies regulating a particular industry, and (for reporting companies) the SEC.
Much of the above relates to larger companies, but smaller companies are not immune and may themselves possess private data of third parties. Additionally, many smaller companies are plugged into larger companies electronically: vendors for parts for “just in time” delivery, vendors who stock shelves, certain classes of customers, and certain service providers.
Further, smaller companies may want to make sure they have robust cyber security systems if they have any thoughts of being acquired. No one wants to acquire a latent cyber security problem.
Directors have a significant role in ensuring cyber security. Some current over-heated literature suggests that directors are going to incur significant personal liability if they fail in their fiduciary oversight.
Although some derivative litigation has been filed against directors for failing to supervise cyber risks, and although expanded insurance is prudent not only for the company but also for the board (see below), boards should be immunized from liability by the business judgment rule, which protects directors exercising normal skills and attentiveness.
Directors must be almost totally insensitive to over-seeing a cyber-risk program to run serious risk of personal liability.
That said, cyber risk is hugely important and breaches are expensive; breaches impact company P&L, brand integrity and M&A (extensive M&A diligence in cyber issues can kill a transaction if significant risk is perceived, cyber being a sometimes latent time bomb). Further, breaches implicate possible criminal liability under state laws protecting customer/patient data privacy.
Prudent boards should include at least one cyber-savvy director, designate a specific committee to monitor cyber risk (beware over-burdening audit; some audit committees already are overwhelmed and are focused elsewhere), meet with outside consultants (upon whom boards may rely under most state corporate laws for statutory protection), discuss ERM and cyber security in all regular meetings, and query management on status, periodic testing and periodic review. (One company’s board escaped shareholder liability when the court noted the holding of 16 cyber-risk meetings in one 12-month period.)
Boards should consult the NACD’s 2014 director’s handbook entitled “Cyber-Risk Oversight” for useful checklists, and particularly “dashboards” that can organize board inquiry throughout company departments and business units.
NACD also periodically conducts national meetings for directors that touch on cyber risk; the most recent was slated for mid-May in San Diego, with Tom Ridge, former U.S. secretary of Homeland Security, one of the speakers.
Finally, numerous law firms and accounting firms have “alerts,” blogs or website sections designed for board member consumption.
Cyber insurance is a minefield for company and director alike. An emerging area, policies are not standard, language is subtle, and exclusions (perhaps unintentionally) cryptic.
The takeaways: Consult an expert advisor and push for special negotiated language.
Without purporting to be complete, here are some key areas of focus:
• All policies are claims-made; is it clear that a claim filed within the policy period will be insured if the underlying cyber breach occurred prior to the policy inception? Some breaches are not recognized for many months.
• Is there an exclusion for liability for breach of third-party “right of privacy”? Breach of this right often is cited in litigation against companies.
• What costs and liabilities are expressly insured against? Areas include: forensic breach analysis; notification to and support of compromised customers such as call center costs and credit monitoring; crisis management costs including public relations; costs of data loss or reconstruction; expense of defense, and damages, incurred from suit by third parties, or from derivative claims (see below with respect to directors); expense of defending regulatory suits or investigations and related penalties; whether covered “claims” include response to subpoenas before a company is an investigatory “target”; loss of income by third parties; and business interruption insurance for the company itself. Some policies may require pre-approval of an acquisition to keep coverage in force.
Given magnitudes of risk, companies should be prepared for intense underwriting processes, including: examination of internal cyber protections; use of encryption; employee profiles and training; review of third parties connected to company systems; data back-up; and budget for cyber security.
For directors, the goal is to get any coverage at all. Coverage for a company under CGL (general liability) and separate cyber-risk policies insures only the company. Director D&O insurance is separate and must be analyzed in a manner similar to the company review, to establish coverage and to eliminate exclusions.
Specific coverage must be clear as to claims based on negligence, failure to supervise and monitor, failure to prevent violation of law, breach of the duties of care, and costs of investigation and defense as well as liability.
To the extent D&O coverage is incorporated into a company policy, it should be clear that the insurance for directors is separate and will not be absorbed by expenditures on behalf of the company or that, alternatively, coverage is so large that there is no risk of running out of dollars (something that is difficult given the sometimes enormous liability risk).
Some recent literature treats cyber risk as the end of the world, a cataclysm that will blow your company apart. Surely we must pay close attention to cyber risk, but students of T.S. Eliot well know that “the world ends not with a bang but with a whimper.”
With currently available levels of support, companies, their boards and management can handle cyber risk like all other ERM risks: with close attention and thoughtful insurance coverages.
Stephen M. Honig practices at Duane Morris in Boston.