Cyber and network security exposures are no longer "emerging risks." The risks are here now. While security breaches are most frequently caused by human error relating to policy neglect or loss or theft of portable devices, the incidents attributable to phishing emails, malware and other targeted intrusions are rising dramatically.
In its latest annual study on data breach preparedness, the Ponemon Institute reports that 43% of companies have experienced a data breach in the past year. This alarming percentage, up 10% from last year, is all the more reason for company directors and officers ("Ds&Os") to focus efforts on privacy and data security measures. Ds&Os have a duty of care to protect corporate assets, and often assets of business partners, which include confidential and proprietary information, reputation and good-will. This includes overseeing that management has put systems in place to identify, mitigate, and manage risks.
A common misconception is that cybercriminals only target banks, retail and multinational companies. The reality, however, is that cybercriminals are increasing their focus upon small and mid-sized enterprises which often tend to be more vulnerable, trusting their software and firewalls are sophisticated enough to protect electronic data. Among any number of other industries, cybercriminals have been targeting the real estate industry as a rich source to obtain personal information and bank account details to add to their saleable "inventory," and have also added law firms and accounting firms to their list of target sources.
General Principles of Risk Oversight
Risk oversight does not require Ds&Os to have a detailed understanding of technology. To minimize the risk of D&O liability, Ds&Os should take a direct role in understanding the company's cyber security practices and protocols for dealing with a data breach. The board, a designated director or an appointed board committee should address company policies, processes, and programs. Company management should be charged with educating employees to safeguard and assure compliance with federal and state regulations as well as company policies. Both pre- and post-incident plans should be developed for any cyber security breach(es) to ensure that the company can respond once a problem presents itself. Consideration should also be given to developing a cross-functional "incident response team" that includes members having expertise in information technology, corporate communications, legal, and finance areas to handle any cyber-incidents. Both prevention and response plans tailored to anticipate cyber-attack scenarios are critical, and should be tested and updated periodically.
Ds&Os should allocate sufficient time on board/corporate meeting agendas to review cyber security issues, and to evaluate what steps are being taken or needed to manage cyber risks. It is then that Ds&Os should consider whether there is a need for (or adequacy of) cyber insurance, including in a D&O policy. Involvement of legal counsel and possibly other consultants who understand the law, regulations, policies and processes of governance and risk management in this area is vital. Topics for review should include:
- Security protocols and lines of responsibility;
- Breach notification protocol and disaster recovery plans;
- Incident response plans;
- Crisis response and communications plans; and,
- Internal and external strategies for disclosure and management of an event.
Ds&Os should determine if specific cyber security insurance is needed and whether this insurance is adequate in relation to the possible expenses to the company if a data breach occurs. Commercial liability insurance may not cover damages associated with data theft, destruction, compromise or other harms from cyber security breaches. Cyber security insurance often covers expenses for:
- Business interruption, including lost revenues due to network disruption;
- "Event" management, including notifications, public relations and electronic data loss;
- Cyber extortion/ransom, including the investigation costs and reimbursement of monies paid to assure continuity of operations; and,
- Network security and privacy, including defense costs of claims, and payment of settlement and damages.
In addition to insurance protection, the documentation and audits that insurers require provides an opportunity to put in place prevention measures, along with loss-detection and reporting systems.
It has been estimated that nearly 90% of corporate assets are maintained on an electronic platform and susceptible to a tech/cyber crisis. While it is not easy to prove breach of the legal duties to protect electronically stored information, some claims are starting to succeed. And aside from any litigation topics, even a court victory will not remedy reputation, operational or enterprise damage.
This article was first published in Properties Magazine
About Brent Buckley
Visit Buckley King's Website
Connect with Brent Buckley on Facebook