YET ANOTHER SLEEPLESS NIGHT
By Mike Shultz
In addition to all of the risks that CEOs and members of boards of directors take on, cyber risk is now likely the largest risk to personal financial well being. A company that has not been hacked soon will be. Now a very real risk, personal liability, must be recognized and meaningful steps must be taken to protect the assets of the company, company leaders and the board.
SEC Commissioner Luis Aguilar in a Spring 2014 speech stated that C-Level officers and board members can’t expect to avoid personal responsibility for losses that might have been prevented by the application of “reasonable business judgment.” In a recent New York Times article, Benjamin Lawsky, New York State’s top financial regulator, is considering a new rule that would require banks to obtain representations and warranties from vendors about the adequacy of their controls to thwart hackers.
There is little doubt that the risk of cyber hacking is a major threat to commercial enterprises and the news headlines scream of new breaches every day. JP Morgan, Home Depot and even the Warren Buffett owned Dairy Queen Restaurants have had major breaches in the last few months. The breaches list Personal Identity Information (PII) losses that affect as many as 80 million individuals. Expenditures for legal fees, remediation and credit monitoring for abused customers are significant. They range from $3 million for a State of Utah breach to $171 million for Sony Corporation and the eye popping $420 million for the Target breach.
The Federal government has provided some guidance for American businesses in a Presidential Executive Order (Executive Order 13636), and in more informative detail from the “Framework for Improving Critical Infrastructure Cybersecurity,” via the National Institute of Standards and Technology. The NIST report offers an overarching framework of core functions: identify, protect, detect, respond and recover. And while adoption of the cybersecurity framework is voluntary, it will likely become a key reference for regulators, insurance companies and the plaintiffs’ bar in assessing whether a company took steps reasonably designed to reduce and manage cybersecurity risks.
What constitutes “reasonable?” How can C-Level officers and members of the board of directors be protected in the execution of their responsibilities to protect the company from cyber risk?
A Reasonable Response
CEOs must apply reasonable oversight and control to assure that cyber risk is understood and the risk is addressed. At a minimum, initiate the NIST framework, either with internal staff or with an outside consultant. The core framework comprises five processes: Identify, Protect, Detect, Respond and Recover.
- Identify known cybersecurity risks to the infrastructure.
- Develop safeguards to protect the delivery and maintenance of infrastructure services.
- Implement methods to detect the occurrence of a cybersecurity event.
- Develop methods to respond to a detected cybersecurity event.
- Develop plans to recover and restore the companies’ capabilities that were impaired as a result of a cyber security event.
Here are specific critical steps to protect the company:
Develop Cybersecurity Policy and Procedures
Written policy and procedures that speak to both external and internal risk must be understood and approved by the board of directors – think “Sarbanes Oxley for cybersecurity.” Develop processes for granting and denying access to vendors or outside parties. Define employee password policies and access procedures. Train employees, since they create a significant risk to the effective use of password management and controls. Clarify information and data ownership policy and maintain contacts for managing data needs. Establish data storage plans based upon size, age and access.
Install Intrusion Detection and Response Processes
Define the physical infrastructure for access and interfaces. Develop a technology map of the infrastructure that includes both physical and software approaches to detect and manage any intrusions. Ensure that C-Level officers and board members will be immediately notified in the event of a breach.
Prepare in Advance for Remediation
As a breach is discovered, the recovery management process must be “automatic.” Most states have requirements for notifying persons affected by the release of Personally Identifiable Information (especially PII covered by HIPPA). In some cases, the law requires that notification occur within hours so that victims of the breach can take defensive actions. Clearly define the steps that the company will take to recover and protect PII, and to the extent possible, ensure that these actions will be automatic.
Review Insurance Coverage
The CEO and board should review Director’s and Officers Liability coverage with an eye to exclusions for cyber risk. Most D&O policies have a carveout for this risk, even though many CEOs and Directors mistakenly believe that they have insurance coverage.
Cyber risk is here to stay. Newspaper and business magazine headlines seem to mention cyber breaches almost daily. The continuing growth of internet-based business activity ensures increasing exposure to the financial risk of improperly released personal information.
CEOs must take the lead on protecting their companies, themselves and their board members. It was already important; now with the change in SEC policy, it’s become urgent.
Mike Shultz is the founder and principal of Barometer Group. With over 40 years’ experience in high tech enterprises, he has founded and sold successful ventures in the electronics, e-commerce and security software markets. As the CEO of Infoglide Software, he led it to a successful exit through its acquisition by FICO in 2013. Mike started Barometer Group in early 2014 to develop solutions to the personal cybersecurity liability risk to board members and executives.