In 2014, we saw some of the largest, most expensive and most highly publicized data breaches in history. Unfortunately, the early forecast for 2015 does not appear to be any better. According to Experian’s 2015 Data Breach Industry Forecast, the risk of experiencing a data breach is higher than ever (almost half of all organizations have suffered at least one security incident in the last 12 months). In the Information Age, it has become increasingly clear that the question is when, not if, a company will have a cybersecurity incident.
Speaking in June 2014 at a cyber risk conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized the critical role that directors and officers must play in cybersecurity matters:
Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s oversight responsibilities. . . . [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.
So what should directors and offers do to avoid becoming the “next Target” or the “next Home Depot?”
A good starting point is the Framework for Improving Critical Infrastructure Cybersecurity released by the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST Framework”). But the framework is very detailed and can be quite daunting to anyone dipping his or her toe into the deep waters of cybersecurity for the first time. So here are some initial steps to help get directors and officers heading in the right direction:
- Get educated: Directors and officers do not need to become IT experts to carry out their obligations to the corporation, but they cannot engage in oversight of cybersecurity risks if they have no idea what is going on. Many corporations have addressed this by creating separate board-level risk committees that are responsible for privacy and security risks. Counsel can assist in this respect by participating in training and/or by conducting a gap analysis of privacy-related policies and procedures.
- Hire full-time personnel: Directors and officers are, of course, entitled to the benefits of the business judgment rule, and they should take advantage of that by employing a full-time Chief Information Officer (“CIO”) or Chief Privacy Officer (“CPO”) who can take the reins on implementing a cybersecurity plan or, if a plan is already in place, ensuring that it is up to industry standards and actually being followed. If a company is not in a position to hire full-time personnel (or if an individual hired for this position will have limited day-to-day resources at his or her disposal), it may be necessary to bring in outside experts to assist with legal and technical issues.
- Be prepared: The industry best practice for incident response is to have an established team in place to handle cybersecurity incidents, perhaps including (but not necessarily limited to) the CIO/CPO, someone from IT, someone from legal, and someone from public relations/marketing. This team and their roles need to be established in advance—the last thing a company wants is to be scrambling to find the right people to handle a cybersecurity event after it has occurred. In addition to identifying the team, it is often helpful to engage in periodic case studies or table-top exercises so that the team is adequately trained in breach response. Counsel can assist with preparation by helping companies develop, update and periodically test an incident response plan and by helping companies identify sensitive data and delete obsolete legacy data containing sensitive information.
- Evaluate insurance: To ensure adequate protection for the corporation, directors and officers should also evaluate the company’s insurance portfolio to ensure that there is adequate protection for both first-party claims (data breach notification costs, business interruption, etc.) and third-party claims (class action litigation, regulatory scrutiny, etc.) arising from cybersecurity incidents. In some instances, it may be appropriate for the corporation to obtain separate cyber coverage to protect against these sorts of claims. Counsel can assist by reviewing a company’s current insurance portfolio for potential coverage, as well as by reviewing indemnification in vendor contracts to help manage risk.
The bottom line is that directors and officers can no longer afford to view cybersecurity as merely an “IT issue” that can be handed off to someone in the organization without further thought. Cybersecurity issues can seem intimidating to those not familiar with the technology and legal issues at play, but the risk to corporations and their directors and officers is now so significant that these issues should be a primary focus at board meetings and in the C-suite at corporations of all types and sizes.