Proof that cyber threats are trending worse, not better, was on hand starting last week, when a massive global ransomware attack infected computer systems in over 150 countries. The aptly named “wannacry” malware was unleashed on business and governmental sectors across the globe. While there’s no total yet of the damage inflicted in the wake of the attack, we know that some victims paid Bitcoin ransoms, some lost core operations, and some made do with, wait for it, resort to paper records. Reported to be among those infected were FedEx, Telefonica, scores of medical facilities across the United Kingdom, European financial institutions, and auto manufacturers.
This latest security breach underscores the imperative for senior officers and directors to keep business operations both online and safe. The twenty-first century board of directors will have to focus its corporate governance efforts on cyber security as much as it would on virtually any other critical business decision. Without such a governance focus, long-term survival may be impossible.
Cyber corporate governance arguably now includes maintaining responsive insurance protection. Cyber insurance products continue to develop and provide some attractive protection if you know what to look for. And the insurance product nearest and dearest to most managers — directors’ and officers’ (D&O) insurance — will become even more significant to deal with cyber-related claims. Ironically, corporate boards may soon be facing a management liability exposure for failing to adequately insure corporate assets from cyber perils.
Emerging Enforcement Risks
Gone are the days when senior management could simply task the head of information technology to address whatever cyber issues were deemed most important. Officers and directors are now expected to involve themselves directly in securing company systems and data. If they fail, they are likely to face enforcement action as well as shareholder ire.
In January, the Wall Street Journal reported that the SEC had commenced an investigation into Yahoo to determine whether “ two massive data breaches should have been reported sooner to investors.” More recently, Verizon’s acquisition price of Yahoo was adjusted downward by about $350 million as a result of to the breaches. And in New York, the state Department of Financial Services issued new cybersecurity regulations mandating that financial services firms designate a senior executive to sign a certification confirming compliance with Part 500 regulations. Other states are expected to follow New York’s lead.
While there have been a number of derivative actions filed against senior corporate management based upon cybersecurity breaches, most of those cases were defeated before any trial or factual hearing. That does not mean, however, that liability will not be found in a future lawsuit targeting corporate managers.
Last month, the first chink in the armor may have been struck when Home Depot settled an investor lawsuit aimed at its management. Although Home Depot had won dismissal of the derivative action against its managers at the trial court level, it entered into a settlement before the appeal was adjudicated, whereby it paid over $1 million to the claimants’ attorneys. The company also “negotiated corporate governance reforms [to] enable proper monitoring of the company’s data security systems and provide greater oversight by the board through periodic reports from management regarding the company’s cybersecurity practice.”
Facing a possible change in the management liability tide, smart corporate management of cyber perils requires these steps:
Resources: Management cannot skimp on money, human resources, or direct management involvement. While data breaches may appear unstoppable, managers will nonetheless be expected to persevere and employ reasonable cyber safeguards. One current trend is to create the position of CISO (chief information security officer) and provide that position with reasonable autonomy and access to the highest management levels to ensure the requisite funding. The CISO should have the ear and backing of the president and the chief executive officer.
Planning: Companies that have both pre-incident and post-incident plans in place are better positioned to avoid or at least minimize the impact of a security breach. The plans must be updated, comprehensive, and protected (some hackers steal incident response plans on the way out).
Implementation: Cyber incident plans, protocols, and procedures must be tested and taught. There are now scores of vulnerability testing outfits that can be vetted for this role. Not only must systems be secured but so too must users’ online habits. Most hacks are not of the brute-force variety. Rather, they induce users to open an attachment, click on a malware link, or communicate valuable information to an online imposter. Training and retraining is essential corporate governance.
D&O and Cyber Insurance Protection
Regulators and lawmakers have indicated that corporations should consider whether to protect themselves with cyber insurance products. This fact alone raises the prospect of future lawsuits against corporate managers where they failed to purchase cyber insurance and were ultimately stung by a breach. But buying a quality cyber insurance policy is easier said than done. It takes work and smart shopping.
D&O insurance will become more and more valuable to fend off shareholder-driven cyber litigation. D&O remains one of the broadest and most valuable insurance products around. It can respond to allegations of failure to adequately disclose cyber risk; mismanagement of cyber security; alleged insider-selling during the throes of a cyber incident; or any number of other cyber-related allegations that qualify as a “wrongful act” under the policy.
Officers and directors should take care to ensure that their D&O policies remain clear of cyber exclusions that have taken hold in other lines of coverage. It’s equally important to make sure that applications for D&O insurance and cyber insurance are answered carefully and accurately. Some insurance applications ask questions that are calculated to be broad, tricky, and vague. This can present a terrible trap for policyholders just when they need their coverage most.
With smart cyber risk management at the most senior level of the corporation, officers and directors can vastly improve their position before shareholders, regulators, and judges. Quality insurance will strengthen that position when cyber incidents ultimately strike.
Joshua Gold is a shareholder in Anderson Kill’s New York office.