Cybersecurity Breaches: Blame Directors and Officers?
The global cyber attack should be a boardroom wakeup call. When cybersecurity breaches occur fingers are increasingly being pointed toward the board of directors and top management.
In its new cybersecurity regulation, New York State's powerful Department of Financial Services squarely put responsibility for cybersecurity on the shoulders of directors and senior officers, requiring them to approve a mandatory cybersecurity policy and certify regulatory compliance.
And earlier this year, Yahoo revealed its general counsel resigned following an internal investigation that concluded that its recent data breach "was not properly investigated and analyzed at the time, and the company was not adequately advised with respect to the [associated] legal and business risks." In addition, Yahoo's CEO Marissa Mayer agreed to forgo her annual bonus and equity grant because the breach took place during her tenure; and recently it was announced she’s leaving the company.
Without a doubt, accountability for cybersecurity has expanded way beyond the IT staff to the highest levels of corporate America. Today's directors and senior officers need to become educated as to cybersecurity risks and exercise active, informed, and engaged oversight over cyber issues. Here are some recommended first steps directors and senior officers should take to satisfy their emerging responsibilities.
Know what Questions to Ask
Consistent with their escalating cyber responsibilities, today’s directors and officers need to increase their knowledge of their entity’s cybersecurity risk profile. Hard questions need to be asked concerning cyber issues, including the identification, location and security of mission critical and protected information, the company’s state of compliance with relevant laws and regulations, its cybersecurity programs, policies and practices, its vendor management practices, and the potential financial impact of a security incident.
Cybersecurity should be included as an item on board meeting agendas, and serious consideration should be given to creating a formal cybersecurity committee. Understanding an organization’s cyber risk requires a holistic view of data assets that takes into account not only IT and legal risk, but also the risk to the business. Since total reliance on the company’s “IT guy” or gal and general counsel for unbiased and comprehensive analysis of the company’s cyber risk profile may not be reasonable, retaining the services of a third party cybersecurity consultant and counsel should be considered.
Directors and officers must treat the company’s cyber risks in the same manner they treat other corporate risks. The level of risk the enterprise should mitigate, absorb, and transfer needs to be weighed. As is the case with many other corporate risks, insurance for cyber risks may be a good option.
Determine Current Cybersecurity State
It’s impossible to determine if an entity is cyber ready without first understanding its current state of cybersecurity. Companies should do a risk assessment, determine its current state, and then conduct a gap analysis against its desired state. This can be done internally or a company can commission a third party. The desired state may be driven by regulation, industry standards, consumer expectations, corporate brand and reputation, and/or a multitude of other factors. Once it ascertains the delta between the current and desired states, the company can prioritize its remedial efforts and decide on a plan to achieve its cyber readiness goals.
Prepare an Incident Response Plan
Research confirms that companies with a current and practiced Incident Response Plan (IRP) fare much better in the wake of a cybersecurity incident than unprepared companies. Entities are urged to form a team of internal and external resources -- including legal, compliance, IT, human resources, public relations/communications, privacy, and finance -- to develop and rehearse an IRP that is well tailored to the company’s specific cyber risk profile. The plan should be regularly reviewed and updated as necessary. Directors and officers should ensure that the enterprise develops and implements an appropriate IRP before a cyber incident occurs.
Compare public perception and stock performance of Target and Home Depot in the immediate aftermath of their respective data breaches to understand just how much difference an IRP can make. Though both breaches were massive in scope—in fact Home Depot’s may have impacted 14 million more individuals than Target’s—Home Depot received far less flak from its customers.
Unlike Target, which waited almost a week before notifying customers of a confirmed breach, Home Depot had a plan in place that enabled them to respond and notify customers within a day of learning of a possible breach, before it was confirmed by investigators. They also offered free credit monitoring and identity resolution services—a staple of a good IRP—providing immediate relief to affected customers. Target also offered customers free credit monitoring, but not until January 12, 2014, nearly a month after the company publicly confirmed the breach.
Employee Training and Awareness
Cyber incidents traceable to negligent and noncompliant employees continue to plague today’s enterprises. All employees need to be educated as to the crucial role each of them plays in protecting the company’s information assets.
In addition to providing regular, interactive and mandatory education training programs, companies should develop processes to inform employees of emerging threats and schemes that pose risk to the company. Directors and officers should not exempt themselves from cybersecurity training and should prioritize a top-down a culture of cybersecurity compliance throughout the enterprise.
In numerous settlements, states and federal regulators have required companies to design and implement employee training programs demanding participation at the most senior levels of the company. In 2012, a California regulator specifically required the CEO and the chief medical officer of a regional hospital to undertake HIPAA training following a privacy violation at the hospital. While the effectiveness of the training program has not been publicized, user error is the leading cause of incidents—60 percent of all attacks, according to IBM research.
We’ve worked with many clients who have state-of-the-art cyber defense technologies in place but have been breached because of employee negligence.
More and more, the responsibility for cybersecurity is being placed at the feet of corporate directors and offices, and leadership needs to play an instrumental role in moving beyond implementation to create a culture of cybersecurity in the workplace. They need to exercise active, informed and engaged oversight over cybersecurity. They are urged to document their efforts, and trust – but verify – internal reports concerning the company’s cyber risk profile and readiness.