Cyber-Risk Forum as Advertised by SVDX
Directors aren’t chief technology officers (CTOs): What is the “right” level of inquiry and diligence when it comes to cyber-threats? Where will boards be held responsible for cyber-failures, and what can they do to protect their shareholders and themselves from frivolous suits? What did the Target board fail to do that the Wyndham board did so well? The panel includes active public company board members, a corporate governance expert steeped in the ethos of Silicon Valley and a renowned cyber-liability insurance expert. The program will be both practical and interactive.
The Cyber-Risk SVDX Panel
Laura Stein serves as senior vice president – general counsel of The Clorox Company, with responsibility for the company’s worldwide legal, ethics and compliance, corporate secretary, corporate communications, crisis management, risk management and internal audit matters. Laura also serves on the boards of Franklin Resources, Inc.; Corporate Pro Bono Advisory Board; Equal Justice Works; Leadership Council on Legal Diversity; Harvard Law School Program on the Future of the Legal Profession and the American Judicature Society.
Lauri Floresca is senior vice president and E&O/cyber-team leader at Woodruff-Sawyer & Co. She has a background in underwriting executive liability products and more than 20 years’ experience in the insurance brokerage and risk management industry.
As a partner at DLA Piper, Ed Batts counsels publicly traded companies in complex mergers and acquisitions, corporate governance and public offerings. He has particular experience with cross-border transactions, public/public mergers, tender offers, going private transactions, public reporting obligations, including activist investor situations, stockholder proposals and accounting related issues.
Priya Cherian Huskins serves on the board of Realty Income Corporation (NYSE: O), where she chairs the governance and nominating committee and serves on the strategic planning committee. Priya is also a partner at Woodruff-Sawyer & Co., a recognized expert in D&O liability risk and its mitigation and is the author of the popular weekly blog, the D&O Notebook. Priya is a member of the board of directors of SVDX, and is on the advisory board of the Stanford Rock Center for Corporate Governance.
My Cryptic Notes on the Cyber-Risk Forum
Cyber-risk responsibilities are simply an evolution of protecting employee and other data. Look at policies; make sure they are evolving. Identify critical information, response plan, not just in IT as a silo but throughout your enterprise. It is a good idea to seek a third party risk assessment to ensure you have all bases covered. Don’t forget third party risks. They can damage your company’s reputation just as much.
Target settlement (Target Corporation Customer Data Security Breach Litigation, U.S. District Court, District of Minnesota, No. 14-md-02522) requires a chief information security officer. Resourced properly. Reporting to CIO? Heightened risk in financial services. Team effort.
Boards need the ability to hold discussions directly with the cyber-security officer. You don’t need to be a cyber-risk expert to ask the right questions concerning organization, board format for getting information and acting on it, assets (heat map), exercises.
Table-top exercise recommended with an additional obstacle, such as a breach occurring after key person is taken out and there is a race to meet next threat. Change management is inherent in board governance and management. National Institute for Standards and Technology mentioned as one of several resources.
Liability; Target’s directors are now in jeopardy. There is danger in segmenting the board by bringing on a cyber-risk expert. Same as any specialized area. Every board has financial expert. Many have social media expert but we really need great oversight of cultural issues. Effective directors important but not necessarily a specialist. Boards might want to acquire expert advice to review cyber-risk… undertake an outside risk assessment.
Opposition forces banging on the network. Pre-engage PR firms. No, boards should not engage outside testing without knowledge of management. Consumer data-breach insurance if often really broad but covers direct losses. Loss value of intellectual property is very difficult to assess.
Business interruption and critical infrastructure are often covered. General liability policy usually excludes coverage of breaches. D&O will normally cover just impact on directors. Policies are now covering whole event, except future loss due to reputation, etc. Minimum standards? Underwriting process will generally look at potential risks.
Boards are often actively involved in budgeting but that’s a fine line. Let management do their job after inquiring as to adequacy. How much would it cost us to recapture reputational loss? Companies cannot buy enough insurance to cover reputational risk. Reputation is everything. Trust is everything. $10M settlement for Target is nothing compared to reputation loss. Lots of work in protecting brand after a breach.
Initial public response. Lawyers want only actual facts disclosed. Companies might go out and say something that later has to be retracted and restated as more is learned. How much do you detail past breaches? Can point out vulnerabilities. What is a material breach? Complying with 34 Act. See Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and Proposed Legislation.
Wyndham (suit against board for epic failure but board met 14 times, audit com met 16 times– suit dismissed), Home Depot, Anthem Blue Cross, Target, etc. Target – side window breach. Healthy skepticism and questions. Reasonable conversation will cover board.
ISS said vote against 7 out of 10 Target directors (those on audit committee). Glass Lewis did not recommend against; said there was not enough information. All were reelected. Not a question of if but when. Need to focus on response plan to limit risk to consumers, employees, brand.
What are the questions that directors should ask? Checklists helpful but not end of story. Rogue malware got in though an HVAC vendor. Government framework, checklists good starting points. MasterCard sued Nike for poaching several from their security officers. Need confidence in technical abilities of security officers. Multiple sources – criminal to sovereign nations. Where is your confidential information? Focus on that – monitoring both externally and internally.
Risk committee, audits, full boards. Doing a lot of check-ins, progress monitoring. Boards need to get comfortable with where risk is. What is our interplay with government? How do you share and not be sure government is not taking advantage? Somewhere in your chain is credit card vulnerability. Insurance exclusions may not cover state-sponsored terrorism.
Government is saying we’re here to help. Much of the technology is happening before the law catches up. Tale of Chiquita cooperating and then getting indicted. There’s the bribe, then there is the breach of books and records requirements. Material risks. FBI might let you know of breach. Companies are hiring away government experts. Line between government and contractors is blurry.
What am I supposed to do? Mr. Batts offered up his blog, Accrued Knowledge, which is focused principally on public company matters including M&A and corporate governance.
Devoting time, using checklists, etc. If you don’t have sufficient grasp, seek external advisors – security firms, legal shops. Remediate identified vulnerabilities. Cyber-risk is not a silo but company-wide issue. Additionally, all accounting firms have resources.
What if smaller or nonprofit? Same assessment. Do we have the resources to defend? Cyber insurance products may include some services for smaller organizations. Figuring out what is the vulnerability and who is best to build, that’s the task of board. Maybe you want to move to a third-party and negotiate responsibilities. Can you engage or do you need someone else to? Nonprofits are not exempt.
How does attorney-client privilege enter? Better to bring in early.
What cyber-risk can be transferred? Business judgment rule applies, similar to others risks.
SVDX and the Arthur and Toni Rembe Rock Center for Corporate Governance, I feel so lucky to be able to attend their programs – a great partnership.
Cyber-Risks: Additional Reading
- Cyber Risks: The Growing Threat
- The Institute of Risk Management
- Net Losses: Estimating the Global Cost of Cybercrime
- The Six Trends of Cyber Risk in 2014 | PropertyCasualty360