Among the many issues that keep directors and officers awake at night is the threat of a cyber attack. Brand-name companies – from Anthem and Primera to Home Depot, JPMorgan Chase, T-Mobile, Sony, and others – that have experienced data breaches have shed light over the last few years on the tremendous exposure businesses face from cyber criminals. Moreover, HEI Hotels & Resorts’ recent announcement that 20 of its hotels representing brands that include Marriott, Starwood, Sheraton and Westin were impacted by a data breach is further evidence of the extent of the risk companies need to address. Addressing this risk begins at the top with directors and officers and their duties to have a robust cyber security in place.
In fact, the Securities and Exchange Commission (SEC) over the last five years has shown a heightened interest in how corporations and their board of directors handle and disclose cyber security issues, beginning with its October 13, 2011 guidance on cyber security disclosure obligations. The SEC also held a roundtable in March 2014 on cyber security and initiated investigations concerning the handling and disclosure of data breaches at several corporations including Target in early 2014. Underscoring the federal agency’s concern about corporate cyber security, Commissioner Luis Aguilar spoke in June 2014 at a New York Stock Exchange conference on “Cyberrisks and the Boardroom,” during which he warned that “boards that choose to ignore, or minimize, the importance of cyber security oversight responsibility, do so at their own peril.”
Furthermore, Aguilar in his speech in October 2015 at the 12th Annual Boardroom Summit & Peer Exchange, reiterated the increasing importance of a board’s oversight role in risk management regarding cyber security, saying the following:
“The frequency of cyber-attacks—and the likelihood of more—has only served to ratchet up the pressure on company boards to effectively implement enterprise risk oversight. Indeed, shareholders have sued boards of directors for failing to guard against cyber-attacks, alleging breaches of fiduciary duties and oversight failures, among other things. Moreover, boards also need to be aware of the increased regulatory focus on a company’s cyber security oversight. For example, recently the U.S. Court of Appeals for the Third Circuit affirmed the authority of the Federal Trade Commission to pursue enforcement actions against companies that fail to employ reasonable and appropriate cyber security measures for consumers’ sensitive personal information. In addition, just last month the SEC brought its first case against a registered investment adviser alleging that its failure to establish required cyber security policies and procedures compromised the personal information of roughly 100,000 individuals.
Fortunately, many boards are becoming more diligent in responding to the increased cyber security threat. For example, in early 2015, a survey of nearly 200 directors of public companies highlighted a trend towards more board-level discussion of cyber security matters, finding that more than 80% of participants indicated that cyber security is discussed at most, and in some cases all, board meetings. A separate May 2015 survey of global financial institutions confirmed this trend and found that, in addition to cyber security concerns, boards are devoting more time to risk management in general and to addressing key risk issues.”
What Should a Board of Directors Do to Address Cyber Risks?
Boards of directors should first ask themselves these key questions:
- Do we understand the nature of the cyber threat as it applies to our company?
- Do the board processes and structure support high-quality dialogue on cyber matters?
- What are we doing to stay current as the cyber threat landscape continues to evolve?
In addition, boards should request more regular updates about cyber risks, and not just from the CEO or CIO. They should also be questioning the organization’s management on cyber security issues. This includes finding out the following:
- Are profit-generating assets adequately secured?
- How well protected is high-value information?
- Is the organization’s cyber security strategy aligned with its business objectives?
- How is the effectiveness of the cyber security program measured?
- Is the organization spending appropriately on security priorities?
- Would the organization be able to detect a breach?
- Does the cyber security area have access to adequate resources?
- How does the organization’s security program compare to that of its peers?
Moreover, ensuring that the right Cyber Liability insurance program is in place is critical to the successful risk management plan of any business in the event a data breach occurs. Also important is reviewing an insured’s Directors & Officers (D&O) Liability insurance policy and the coverage available for the entity itself as well as its executives. RPS provides both robust Cyber and D&O insurance products for a diverse range of industries and can assist you with putting together a comprehensive plan.
Sources: SEC, EY’s Cyber Program Management