Latest update December 9th, 2017 9:12 AM

  • About
  • Contact
  • Media Kit
  • Archives
  • Article Submission
  • Event Registration
  • #0 (no title)

  • Home
  • BizBites
  • Departments
    • ACA Update
    • Biz Dev
    • Change Management
    • Commentary
    • Corporate Responsibility
    • Entrepreneurship
    • Executive Education
    • From the CFO
    • From the CMO
    • General Counsel
    • Generation Integration
    • Governance
    • In Closing…
    • Internal Memo
    • Leadership
    • Mentorship
    • Operations
    • People Matters
    • Professional Development
    • Strategy
    • Sustainability
    • Technology
  • Speaker Series
  • Features
  • Roundtables
  • Submission Guidelines
  • Texas Business Radio
  • follow
    • Facebook
    • Twitter
    • Google+
    • Linked

Cyber Risk & the CEO

Feb 14, 2015 Departments, Governance Comments Off on Cyber Risk & the CEO


YET ANOTHER SLEEPLESS NIGHT

By Mike Shultz

In addition to all of the risks that CEOs and members of boards of directors take on, cyber risk is now likely the largest risk to personal financial well being. A company that has not been hacked soon will be. Now a very real risk, personal liability, must be recognized and meaningful steps must be taken to protect the assets of the company, company leaders and the board.

SEC Commissioner Luis Aguilar in a Spring 2014 speech stated that C-Level officers and board members can’t expect to avoid personal responsibility for losses that might have been prevented by the application of “reasonable business judgment.” In a recent New York Times article, Benjamin Lawsky, New York State’s top financial regulator, is considering a new rule that would require banks to obtain representations and warranties from vendors about the adequacy of their controls to thwart hackers.

There is little doubt that the risk of cyber hacking is a major threat to commercial enterprises and the news headlines scream of new breaches every day. JP Morgan, Home Depot and even the Warren Buffett owned Dairy Queen Restaurants have had major breaches in the last few months. The breaches list Personal Identity Information (PII) losses that affect as many as 80 million individuals. Expenditures for legal fees, remediation and credit monitoring for abused customers are significant. They range from $3 million for a State of Utah breach to $171 million for Sony Corporation and the eye popping $420 million for the Target breach.

The Federal government has provided some guidance for American businesses in a Presidential Executive Order (Executive Order 13636), and in more informative detail from the “Framework for Improving Critical Infrastructure Cybersecurity,” via the National Institute of Standards and Technology. The NIST report offers an overarching framework of core functions: identify, protect, detect, respond and recover. And while adoption of the cybersecurity framework is voluntary, it will likely become a key reference for regulators, insurance companies and the plaintiffs’ bar in assessing whether a company took steps reasonably designed to reduce and manage cybersecurity risks.

What constitutes “reasonable?” How can C-Level officers and members of the board of directors be protected in the execution of their responsibilities to protect the company from cyber risk?

A Reasonable Response

CEOs must apply reasonable oversight and control to assure that cyber risk is understood and the risk is addressed. At a minimum, initiate the NIST framework, either with internal staff or with an outside consultant. The core framework comprises five processes: Identify, Protect, Detect, Respond and Recover.

  • Identify known cybersecurity risks to the infrastructure.
  • Develop safeguards to protect the delivery and maintenance of infrastructure services.
  • Implement methods to detect the occurrence of a cybersecurity event.
  • Develop methods to respond to a detected cybersecurity event.
  • Develop plans to recover and restore the companies’ capabilities that were impaired as a result of a cyber security event.

Here are specific critical steps to protect the company:

Develop Cybersecurity Policy and Procedures

Written policy and procedures that speak to both external and internal risk must be understood and approved by the board of directors – think “Sarbanes Oxley for cybersecurity.” Develop processes for granting and denying access to vendors or outside parties. Define employee password policies and access procedures. Train employees, since they create a significant risk to the effective use of password management and controls. Clarify information and data ownership policy and maintain contacts for managing data needs. Establish data storage plans based upon size, age and access.

Install Intrusion Detection and Response Processes

Define the physical infrastructure for access and interfaces. Develop a technology map of the infrastructure that includes both physical and software approaches to detect and manage any intrusions. Ensure that C-Level officers and board members will be immediately notified in the event of a breach.

Prepare in Advance for Remediation

As a breach is discovered, the recovery management process must be “automatic.” Most states have requirements for notifying persons affected by the release of Personally Identifiable Information (especially PII covered by HIPPA). In some cases, the law requires that notification occur within hours so that victims of the breach can take defensive actions. Clearly define the steps that the company will take to recover and protect PII, and to the extent possible, ensure that these actions will be automatic.

Review Insurance Coverage

The CEO and board should review Director’s and Officers Liability coverage with an eye to exclusions for cyber risk. Most D&O policies have a carveout for this risk, even though many CEOs and Directors mistakenly believe that they have insurance coverage.

Cyber risk is here to stay. Newspaper and business magazine headlines seem to mention cyber breaches almost daily. The continuing growth of internet-based business activity ensures increasing exposure to the financial risk of improperly released personal information.

CEOs must take the lead on protecting their companies, themselves and their board members. It was already important; now with the change in SEC policy, it’s become urgent.

Mike Shultz is the founder and principal of Barometer Group. With over 40 years’ experience in high tech enterprises, he has founded and sold successful ventures in the electronics, e-commerce and security software markets. As the CEO of Infoglide Software, he led it to a successful exit through its acquisition by FICO in 2013. Mike started Barometer Group in early 2014 to develop solutions to the personal cybersecurity liability risk to board members and executives.


  • Barometer Group, cybersecurity, detection, hacking, Mike Shultz, SEC
The Risks of Email Cultural Malware

Related articles
  • San Antonio 2018 Economic Forecast: Acceleration
    San Antonio 2018 Economic Forecast:...

    Nov 18, 2017 0

  • What’s the Role of the CEO in Cybersecurity?
    What’s the Role of the CEO in...

    May 28, 2016 0

  • How We Built the First Cybergovernance Platform
    How We Built the First Cybergovernance...

    Jan 30, 2016 0

  • The Essential Guide to Cybersecurity
    The Essential Guide to Cybersecurity

    May 30, 2015 0

More in this category
  • The Future of Work
    The Future of Work

    Dec 09, 2017 0

  • Dormant Ties
    Dormant Ties

    Dec 09, 2017 0

  • Evolving Incentives For An Evolving Workforce
    Evolving Incentives For An Evolving...

    Dec 09, 2017 0

  • We Got Sued For What?
    We Got Sued For What?

    Dec 02, 2017 0


Site Sponsors

Emma Email Signup

Get Our Weekly Wrap-Up Newsletter

This form needs Javascript to display, which your browser doesn't support. Sign up here instead


TX CEO Magazine Tweets

Twitter
Texas CEO Magazine
Texas CEO Magazine
@TexasCEO

#TexasCEO's 10 Most Read Articles Of 2017 #2 The Changing Of The Guard: San Antonio’s #Economic #Development Future texasceomagazine.com/features… @SanAntonioEDF #1 Deep Roots In The Heart Of #Texas: The Kaspar Family’s #Holistic Approach To #Ranching texasceomagazine.com/features…

reply retweet favorite
4:30 pm · 12/31/2017
Twitter
Texas CEO Magazine
Texas CEO Magazine
@TexasCEO

#TexasCEO's 10 Most Read Articles Of 2017 #4 @Jim_nyquist: At The Inflection Point Of #IIoT texasceomagazine.com/features… #3 Building #Innovation: @turner_talk Builds On Empowering Individuals texasceomagazine.com/features… @Turner_DAL @TurnerSouthTX #MiddleMarket #entrepreneurs

reply retweet favorite
2:30 pm · 12/31/2017
Twitter
Texas CEO Magazine
Texas CEO Magazine
@TexasCEO

#TexasCEO's 10 Most Read Articles Of 2017 #6 The Cilantro Diaries: #Business Lessons From The Most Unlikely Places texasceomagazine.com/book-rev… @lgomez123 #5 From #Franchisee To #Franchisor: How Gordon Logan Built @SportClips texasceomagazine.com/features… #MiddleMarket #entrepreneurs

reply retweet favorite
12:30 pm · 12/31/2017
Twitter
Texas CEO Magazine
Texas CEO Magazine
@TexasCEO

#TexasCEO's 10 Most Read Articles Of 2017 #8 #Mexico Is The New #China by @DrPippaM texasceomagazine.com/departme… #7 Growing The Next Generation Of Texas #CEOs: #CEO-to-CEO #Mentoring texasceomagazine.com/features… #Texas #MiddleMarket #business #entrepreneurs

reply retweet favorite
10:30 am · 12/31/2017
Twitter
Texas CEO Magazine
Texas CEO Magazine
@TexasCEO

#TexasCEO's 10 Most Read Articles Of 2017 #10 7 Top Trends That Will Shape #Texas In The Coming Decade by @KenGronbach texasceomagazine.com/departme… #9 Peter Huff Of @BlueSageCapital: A Generalist In The Specialized World Of #PrivateEquity texasceomagazine.com/features… #Texas #MiddleMarket

reply retweet favorite
8:30 am · 12/31/2017
Copyright © 2011-2016 Texas CEO Magazine.
  • BizBites
  • Departments
  • Speaker Series
  • Features
  • Roundtables
  • Submission Guidelines
  • Texas Business Radio