[BreachExchange] Corporate boards will face the spotlight in cybersecurity incidents

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 9 14:52:58 EST 2018


https://www.csoonline.com/article/3261405/leadership-
management/corporate-boards-will-face-the-spotlight-in-
cybersecurity-incidents.html

In my last article, I noted that corporate boards, especially those of
public companies, are facing increased scrutiny and liability exposure in
relation to cybersecurity and data privacy. While companies continue to
gather and store large amounts of data, they are also more and more likely
to be subject to a damaging cyberattack or data breach. The actions and
composition of boards will be closely watched in the court of public
opinion as well as by the courts themselves and by lawmakers.

The impact of a data breach should not be underestimated. A breach can lead
to regulatory investigations by a number of agencies, including the Federal
Bureau of Investigation, Secret Service, Immigration and Customs
Enforcement as well as through enforcement actions by regulators including
State Attorneys General, the Federal Trade Commission (FTC) and the
Securities and Exchange Commission (SEC), among many others.

Companies also face a potential loss of intellectual property and trade
secrets as well as litigation brought by harmed customers, business
partners, or shareholders. Major reputational damage and loss of investor
confidence can also occur, often accompanied by decreased stock price.
Furthermore, a breach can cause organizational leadership to be refocused,
taking away from the operations of the business. The board, therefore, will
need to be careful to take practical step to ensure proper oversight over
how their organization manages cyber threats.

How knowledgeable does a board need to be?

Boards are charged with risk oversight. Because cybersecurity issues are
complex and technical, it is common for directors to express anxiety
regarding whether the board has sufficient expertise and is informed enough
to serve its risk oversight function in this area. Directors often rely on
company senior management to educate directors on cybersecurity issues. To
ensure the board has a broad, unbiased view of the cybersecurity risks it
should be evaluating, directors should assess when the board could benefit
from independent briefings on cybersecurity risk rather than relying solely
on the officers who report to them.

Greater scrutiny over whether the board has such experience is evidenced by
legislation re-introduced in Congress last year. The bipartisan
Cybersecurity Disclosure Act of 2017-18 (S.536) would require publicly
traded companies to disclose the cybersecurity expertise of any members of
the board or general partner and, if the board does not have such
expertise, disclose the measures they have taken to identify and nominate
future nominees to the board. While the bill was first introduced in 2015,
given the recent highly-publicized cybersecurity incidents at public
companies, there is more momentum now than ever before. Even assuming the
bill does not pass, the legislation emphasizes the likelihood that the SEC
could likely consider board cybersecurity expertise a when evaluating
whether a registered entity has a sufficient cyber risk management program.

Apart from non-binding guidance for boards to have cyber expertise, the
“business judgement rule” applies to decisions that the board makes,
including regarding oversight of cybersecurity issues. In general, so long
as a board meets the standards of care, duty, and loyalty the business
judgement rule generally shields boards from liability from shareholder
lawsuits (including following massive security incidents). Directors must
follow the same business judgment principles that they use for evaluating
all other company risks, such as those associated with corporate strategy
and performance. These standards require that directors do more than simply
understand that threats exist and passively receive reports from an audit
committee or internal company management.

How should boards educate themselves about cybersecurity risks?

While the entire board is responsible for risk oversight generally, more
than half of boards delegate responsibility for overseeing cybersecurity
risk oversight solely to a compliance or audit committee.  To demonstrate a
commitment to cybersecurity, and to ensure that the subject is given proper
attention, the board should consider including cybersecurity on its agenda
at full board meetings as frequently as necessary based on the level of
risk the company faces from data-related attacks, and as specific incidents
and situations warrant. Boards should give serious consideration to whether
to include cybersecurity in discussions regarding new business plans,
mergers and acquisitions, new-market entry, and other significant decisions
impacting the health and direction of the company. The board minutes should
reflect the occasions when cybersecurity is discussed.

Regardless of whether the board, an audit committee, or management is
responsible, the obligation to monitor, assess, and respond to cyber risk
should be clearly defined. The Chief Information Security Officer (or
similar position) should have sufficient budget authority, staff resources
and independence in order to operate effectively. Whether or not a CISO
exists, the board could consider whether the head of cybersecurity should
directly report to a senior C-level officer instead of a manager one or
more levels down the chain. Relying on the Chief Executive Officer to
update the board on cyber risk may not be enough. A recent report by the
Financial Services Information Sharing & Analysis Center (IS-ISAC) found
that only 8 percent of cybersecurity heads at U.S. financial institutions
report directly to their CEO.

The results of cyber risk monitoring need to be reported to the board
appropriately. Committee briefings regarding cybersecurity programs, risks,
and updates should occur regularly.

How should cyber risk be reported to the board?

The ongoing findings provided by management to the board should inform the
Directors about the type and degree of the company’s cybersecurity
vulnerabilities.  According to the NACD 2017 edition of “Directors Handbook
on Cyber-Risk Oversight,” a risk report should include capabilities i.e.,
successes (including IT risk management and third-party security) as well
as key risks, a corresponding risk level, related findings, and trends.
These indictors should show patterns over time, indicate actual and
potential impact on business operations and cost, and benchmark next to
peers (to the extent possible). Above all, it is recommended that the
metrics provided enable frank discussion, analysis and dialogue, which
requires a proper understanding of the issues at play.

While the board need not know about every single incident, companies’
incident response or similar policies should include factors that can be
analyzed to determine their severity and when escalation to the board is
appropriate. A company cannot learn from and respond to criminal breaches
if the board is not properly informed about aggregated information about
attacks. The median number of days an organization is compromised before
discovering a cyber breach is 146, and less than half are discovered
internally, as opposed to by third parties or law enforcement.

To appropriately assess the successes and shortcomings of the company’s
cybersecurity program, the board must be informed of aggregate information
about successes, i.e., incidents that were blocked. Armed with this
knowledge, the board can more appropriately make risk tolerance and
business decisions about how to allocate resources for cybersecurity.
Increased cybersecurity measures may also result in improvement in business
efficacy, and avoiding breaches can save companies a great deal of money.

Armed with the knowledge of the organization’s cyber risk, the board –
especially for data-centric companies that hold consumer data – should
engage management regularly about the company’s most critical data assets,
where they reside, how they are accessed, who has permission to access
them, and how and how often those systems are tested to ensure they are
adequately protected. They should ensure that adequate policies, including
crisis preparedness, are in place; that appropriate budgets are allocated
to IT security, which also includes funds for staff training and
information dissemination within departments and throughout the
organization; that proper experts and outside counsel are hired; and that
the company has appropriate cyber skill in IT.

How should boards disclose these risks?

The SEC released updated guidance on cybersecurity disclosure for public
companies on February 21, 2018.

The SEC listed cybersecurity as a top concern beginning back in 2014. In
recent years, the Commission explicitly argued that a public failure of
public companies to take disclosure obligations seriously would result in
enforcement action. SEC disclosure guidance requires a company to determine
disclosure obligations based on the “potential materiality of any
identified risk and, in the case of incidents, the importance of any
compromised information and the impact of the incident on the company’s
operations.” Other disclosure obligations include any pending or threatened
legal proceedings as well as insurance coverage, the effectiveness of
current controls and procedures, as well as a number of points on financial
statement disclosures including prevention cost.

One of the focuses of the February 21, 2018 update was on the role of the
boards. The new guidance notes that a company must include a description of
how the board administers its risk oversight function to allow inventors to
assess how the risk oversight function in this area is being discharged.
The board should review Company disclosure procedures to ensure that they
are properly managed. The guidance goes on to emphasize requirements
concerning timely data breach disclosures to investors.

The guidance also subtly points to the potential of civil lawsuits if
transparency is not forthcoming. Shareholder derivate suits are increasing
used by investors after data breaches. These are often based on claims
alleging breach of fiduciary duties, mismanagement and material omissions.
This can be seen in recent shareholder lawsuits against Wyndham and Target,
among others.

Apart from the SEC guidance, there are a plethora of other
cybersecurity-related regulations and industry standards that boards should
also be aware of. This includes the Health Insurance Portability and
Accountability Act (for health insurers and providers and their partners),
the NY Department of Financial Services Cybersecurity Regulation (for
financial institutions and insurance companies licensed in NY), incoming
requirements under the EU General Data Protection Regulation, which applies
to almost every organization that collects even the first and last name of
EU persons, a flood of new state laws requiring businesses to implement
cybersecurity programs to protect personal information, among many others.

The role of boards in cybersecurity risk mitigation and public company
disclosures is therefore very much in the limelight and more important than
ever. Given how business critical cybersecurity has become, the board will
need to carefully consider its role, responsibilities and expertise or
education going forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180309/5c9fd296/attachment.html>


More information about the BreachExchange mailing list