CFO
Menu
  • Accounting & Tax
  • Banking & Capital Markets
  • Growth Companies
  • Human Capital & Careers
  • Risk & Compliance
  • Strategy
  • Technology
  • Sign InSign Up
CFO
  • Conferences
  • Webcasts
  • Research
  • White Papers
  • Jobs
  • Training
  • Newsletters
  • Magazine
CFO
The Ongoing Evolution of FP&A
Global Survey Identifies 7 Key Insights
Square Root Costing: A Better Method
Square root costing is the only costing…
Does Diversity Pay Off?
CFOs Look to Quantify Inclusion Initiatives
  • Accounting & Tax
  • Banking & Capital Markets
  • Risk & Compliance
  • Human Capital & Careers
  • Growth Companies
  • Strategy
  • Technology
Risk Management

Cyber Risk: Are Boards the New ‘Target’?

Directors and officers need to understand how to improve their insurance policy's response to cyber risk.

Kevin Kalinich and Michael Becker, Contributors
April 22, 2014 | CFO.com | US - Comments: 4
share
Tweet
Print

Email this article

This is one of four articles in a special report on how CFOs can get the best prices and coverage when they negotiate the renewals of their companies’ insurance policies. Here are the others:

  • How CFOs Can Curb Insurance Costs

    Finance chiefs can slash their companies' property-casualty premiums by linking effective risk management to insurance buying.

  • Perfect Storm Looms for Insurance Pricing

    CFOs shouldn’t expect friendly insurance market conditions for the foreseeable future.

  • Do the Math Before You Buy Insurance

    Deciding how much insurance to buy can be tough when a company has little or no history of large losses on which to base such decisions.

For any public company, a large data breach, such as the latest Target hack, could be material enough to warrant the filing of a Form 8-K. According to the Consumer Bankers Association, the Target data breach has cost banks more than $200 million.

Target already faces dozens of claims, including consumer class-action lawsuits filed by those affected by the breach,  putative class actions filed by banks, federal and state law enforcement investigations and congressional inquiries.  In this case, it is the board of directors that is also now becoming a target. The shareholder derivative litigation against Target’s board of directors may be the start of the next wave of shareholder class action litigation – an action taken when shareholders allege that the board of directors has not satisfied its duty of care to manage such exposures.

Recommended Stories:
  • Management Shakeup Continues at Wells Fargo
  • AI: Revolutionary Technology but a Big Business Risk
  • Hybrid Cyber-Risk Solutions May Lower Cost of Insurance

Directors and officers liability insurance policies are designed to protect the directors and officers from allegations of wrongdoing. The company itself is generally only covered for securities claims, however.  In the case of Target, the shareholders brought derivative actions alleging that Target’s directors and officers failed to take reasonable steps to maintain the security of their customers’ data, and as a result, caused substantial damages to Target for which they should be held liable. In other cases, shareholders have alleged via class-action lawsuits that directors and officers violated federal securities laws by failing to disclose material adverse facts about data breaches, which resulted in substantial shareholder losses following stock declines.

As a matter of good corporate governance, boards of directors must fulfill their fiduciary duties by conducting oversight. That’s because latency, privacy and security obligations can remain the legal burden of the entity’s board – even though a breach may be caused by a third-party outsourced service provider or anonymous hacker.

D&O Responds to Lawsuits

D&O policies can be designed to respond to such lawsuits. Most policies have very limited coverage for any fines and penalties levied, and the vast majority of D&O policies only respond to investigations in which directors or officers are personally named. It does not respond to investigations in which only the company is named.  It is important that directors and officers understand how the D&O policy will respond to a data breach. And d’s and o’s need to understand their available options to improve the D&O policy response.

There are several steps that CFOs should consider taking when approaching corporate governance – including many that surround risk-mitigation techniques and strategies. For example, the breadth of a computer-network security breach will differ greatly for a business that’s solely in-house from one that outsources to third-party vendors. Therefore, an analysis should consider the specific risk-profile circumstances and risk appetite of each organization.

To help maintain financial and brand success by preventing data breaches and the losses related to them, the CFO should guide the board to exercise due diligence and direct management to:

  1. Identify and quantify cyber exposures.
  2. Mitigate cyber exposures, including conducting due diligence, reviewing contractual allocation of liability and implementing information technology security best practices in accordance with the National Institute of Standards and Technology Critical Infrastructure Framework issued on Feb. 12. While voluntary for now, the new federal cybersecurity framework is expected to become the de facto security requirement basis for data breach litigation.
  3. Consider actuarial modelling to analyze how much risk should be assumed versus transferred.
  4. Mandate an enterprise risk management collaborative approach. This is not just an IT issue. Coordinated communication among departments is critical.
  5. Comply with Securities and Exchange guidance.
  6. Ensure a comprehensive breach incident response plan is in place, including procedures for providing proper notice of a cyber incident to insurers for all possible insurance lines of coverage.

Certain security breaches require mandatory disclosure requirements from businesses when a number of events occur. A company’s CFO is responsible for ensuring compliance with these reporting mandates, in addition to personally certifying the company’s compliance with the internal controls provisions under the Sarbanes-Oxley Act. All of these requirements could be affected by cyber risks or insufficient coverage to minimize the impact of cyber risks to the financial statements.

According to research firm International Data Corporation, the market for big data will reach $16.1 billion in 2014, which is growing six times faster than the overall IT market. As boards of directors are feeling greater pressure to be the target in a cyber crisis, now is the time for CFOs to be aware, prepared and ready for future situations.

Kevin  Kalinich is global practice Leader for cyber insurance and Michael Becker is a senior vice president and D&O leader for Aon Risk Solutions.

Post navigation

← Treat Employees Well, See Stock Price Soar
Ratings Agencies: Credit Where Credit’s Due →

4 responses “Cyber Risk: Are Boards the New ‘Target’?”

  1. Bob Farkas said 05/05/14 22:09pm

    It seems the target are not only the Board but the CEO with the subsequent promotion of the CFO by the Board.

    Typically data security would fall under the purview of the CFO, so that’s an odd evolution!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Advertisement

Popular Articles

  1. 10 Habits of Highly Effective CFOs
  2. No Mystery How to Restrain Health Costs
  3. Zero-based Budgeting Is Surging
  4. Pay Ratio Disclosures Mislead Investors
  5. No More Tax Deductions for Bad Actions
Advertisement
 

Topics

  • Accounting & Tax
  • Banking & Capital Markets
  • Human Capital & Careers
  • Growth Companies
  • Risk & Compliance
  • Strategy
  • Technology

Media

  • Videos
  • Whitepapers
  • Research
  • Magazine

Events

  • Conferences
  • Argyle Events
  • Webcasts

Services

  • Reprints
  • Back Issues
  • Mobile
  • Widgets
  • RSS

About CFO

  • About CFO
  • Editorial Staff
  • Press
  • Advertise
  • Contact Us

Want the Magazine?

Relax and unplug with our award-winning coverage.

Subscribe Now
Follow Us