Cyber Risk: Are Boards the New ‘Target’?

For any public company, a large data breach, such as the latest Target hack, could be material enough to warrant the filing of a Form 8-K. According to the Consumer Bankers Association, the Target data breach has cost banks more than $200 million.

Target already faces dozens of claims, including consumer class-action lawsuits filed by those affected by the breach,  putative class actions filed by banks, federal and state law enforcement investigations and congressional inquiries.  In this case, it is the board of directors that is also now becoming a target. The shareholder derivative litigation against Target’s board of directors may be the start of the next wave of shareholder class action litigation – an action taken when shareholders allege that the board of directors has not satisfied its duty of care to manage such exposures.

Directors and officers liability insurance policies are designed to protect the directors and officers from allegations of wrongdoing. The company itself is generally only covered for securities claims, however.  In the case of Target, the shareholders brought derivative actions alleging that Target’s directors and officers failed to take reasonable steps to maintain the security of their customers’ data, and as a result, caused substantial damages to Target for which they should be held liable. In other cases, shareholders have alleged via class-action lawsuits that directors and officers violated federal securities laws by failing to disclose material adverse facts about data breaches, which resulted in substantial shareholder losses following stock declines.

As a matter of good corporate governance, boards of directors must fulfill their fiduciary duties by conducting oversight. That’s because latency, privacy and security obligations can remain the legal burden of the entity’s board – even though a breach may be caused by a third-party outsourced service provider or anonymous hacker.

D&O Responds to Lawsuits

D&O policies can be designed to respond to such lawsuits. Most policies have very limited coverage for any fines and penalties levied, and the vast majority of D&O policies only respond to investigations in which directors or officers are personally named. It does not respond to investigations in which only the company is named.  It is important that directors and officers understand how the D&O policy will respond to a data breach. And d’s and o’s need to understand their available options to improve the D&O policy response.

There are several steps that CFOs should consider taking when approaching corporate governance – including many that surround risk-mitigation techniques and strategies. For example, the breadth of a computer-network security breach will differ greatly for a business that’s solely in-house from one that outsources to third-party vendors. Therefore, an analysis should consider the specific risk-profile circumstances and risk appetite of each organization.

To help maintain financial and brand success by preventing data breaches and the losses related to them, the CFO should guide the board to exercise due diligence and direct management to:

1. Identify and quantify cyber exposures.
2. Mitigate cyber exposures, including conducting due diligence, reviewing contractual allocation of liability and implementing information technology security best practices in accordance with the National Institute of Standards and Technology Critical Infrastructure Framework issued on Feb. 12. While voluntary for now, the new federal cybersecurity framework is expected to become the de facto security requirement basis for data breach litigation.
3. Consider actuarial modelling to analyze how much risk should be assumed versus transferred.
4. Mandate an enterprise risk management collaborative approach. This is not just an IT issue. Coordinated communication among departments is critical.
5. Comply with Securities and Exchange guidance.
6. Ensure a comprehensive breach incident response plan is in place, including procedures for providing proper notice of a cyber incident to insurers for all possible insurance lines of coverage.

Certain security breaches require mandatory disclosure requirements from businesses when a number of events occur. A company’s CFO is responsible for ensuring compliance with these reporting mandates, in addition to personally certifying the company’s compliance with the internal controls provisions under the Sarbanes-Oxley Act. All of these requirements could be affected by cyber risks or insufficient coverage to minimize the impact of cyber risks to the financial statements.

According to research firm International Data Corporation, the market for big data will reach $16.1 billion in 2014, which is growing six times faster than the overall IT market. As boards of directors are feeling greater pressure to be the target in a cyber crisis, now is the time for CFOs to be aware, prepared and ready for future situations.

Kevin  Kalinich is global practice Leader for cyber insurance and Michael Becker is a senior vice president and D&O leader for Aon Risk Solutions.