Cyberattacks on businesses are now weekly news as breaches of personal information are announced regularly by brand name companies—Target, Neiman Marcus, Home Depot, Jimmy Johns, JP Morgan Chase, and others. Even before the most recent wave of privacy breaches, professionals in the insurance industry were aware of the serious threat posed by cybercrime. However, until recently, many corporate executives did not share the view of risk professionals on the importance of addressing cybersecurity at the board level.
Directors tended to view cybersecurity as chiefly a technical or operational concern whose value, unless their company had been attacked, was difficult to quantify. According to a 2013 Risk Management Society Survey, risk professionals ranked cyberrisk as their top risk priority, while senior executives ranked it only twenty-sixth. However, executive perceptions of cyberrisk are changing—a 2014 survey of directors reveals that data security is now the top issue keeping them awake at night.1
The growing prominence of cybercrime underscores the significance of cybersecurity and planning as a management issue. Given the technical nature of cybersecurity, a question naturally arises about the role that directors and officers should play. There is scant case law explaining the duties of directors and officers for corporate cybersecurity, although the number of lawsuits against directors and officers as a result of cyberbreaches is rapidly growing. Eventually, some of these lawsuits will result in written opinions. Until then, a review of the threat posed by cybercrime and the relevant duties of directors and officers (and how plaintiffs are framing those duties) provides a helpful backdrop for identifying measures that directors and officers may wish to take to protect their companies.
The Cost of Poor Cybersecurity
Not surprisingly, external cyberattacks are the principal cause of data breaches of personal information. According to the Identity Theft Resource Center, cyberattacks caused more than 25 percent of the data breaches reported in 2013.2 Consistent with this, the New York attorney general recently announced that 40 percent of the almost 5,000 breaches recorded in the state from 2006 through 2013 were caused by hacking.3
According to the 2014 Verizon Data Breach Investigations Report, most data breaches in 2013 were perpetrated by outsiders. The chart below shows the most common types of cyberattacks.
Figure 1: Most Common Cyberattacks
Cyberattacks are more advanced than ever, perhaps explaining why director and officer attitudes toward cybersecurity have lagged behind the threat such attacks present. Malware has become more sophisticated as the developers have become more creative in camouflaging their work and utilizing servers designed to resist surveillance. Cyberattacks are now conducted by sophisticated organizations located throughout the world—indeed, in some instances backed by the governments of large countries—that specialize in seeking out vulnerabilities in companies' firewalls and developing tools to hijack the companies' networks. These tools are then exploited by the hackers themselves, sold on the black market to the highest bidder, or even used to blackmail the hijacked company.
Complex targeted attacks, sometimes known as advanced persistent threats (APTs), are increasingly being used to gain access to proprietary and confidential enterprise data. Moreover, companies' increased reliance on new technologies (such as mobile banking and cloud computing), and on relationships with third parties,4 increases these vulnerabilities and provides new points of entry for hackers. Indeed, the ninth annual Worldwide Infrastructure Security Report found that, since 2012, there has been a 36 percent increase in APTs and that attacks against mobile networks have doubled.5
The cost of poor cybersecurity, particularly from large breaches of personal health and financial information, can be substantial. On average, the cost in 2013 to remediate a data breach was $5.85 million, 15 percent higher than in 2012.6 If a company also loses payment card data in a data breach, it may also face substantial fines and assess costs from payment card associations and banks. For example, Genesco, a large retailer with over 2,440 stores, suffered a significant data breach in 2010, which led to the imposition of almost $13.3 million in Payment Card Industry Data Security Standard (PCI-DSS) fines and assessments.7 Industry analysts have estimated Target's data breach losses, including losses from credit card fraud and PCI-DSS fines and penalties, may approach $1 billion.8
The legal costs from breaches are also substantial. Large breaches typically are followed by class action lawsuits on behalf of persons whose personal information was compromised. Although such lawsuits have often struggled to survive dismissal due to difficulties in showing actual harm resulted from the lost personal data, class action data breach suits are expensive to defend. Also, federal and state regulatory agencies, such as the Federal Trade Commission, the Department of Health and Human Services, and state attorneys general acting on behalf of affected residents are very active in investigating data breaches of personal information.
Poor security can present other risks for a company, potentially exposing its trade secrets and other proprietary information, tarnishing its reputation, and undermining its relationship with customers. Lost business and damage to reputation can be significant: US companies estimated losing $3.3 million in business on average due to data breaches in 2013. Although the public has sometimes seemed blasé about the risk of lost personal data, this attitude may be changing—a recent study found that nearly 60 percent of breach fraud victims "significantly lost trust" in their retailers and 14 percent avoided their retailer altogether due to the fraud potential.9 Data breaches also are affecting stock prices—a 2014 study showed that the average stock price of a company suffering a data breach fell 11 percent within 12 months of the breach10—not only damaging the company's market capitalization but also heightening the possibility that a securities class action suit may follow.
In addition, the Securities and Exchange Commission (SEC) has shown a heightened interest in how corporations handle and disclose cybersecurity issues, beginning with its October 13, 2011, guidance on cybersecurity disclosure obligations. More recently, the SEC held a roundtable in March 2014 on cybersecurity and initiated investigations concerning the handling and disclosure of data breaches at several corporations including Target in early 2014. Underscoring the SEC's concern about corporate cybersecurity, SEC Commissioner Aguilar spoke in June 2014 at a New York Stock Exchange conference on "Cyberrisks and the Boardroom," during which he warned that "boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril."11
Traditional Duties of Directors and Officers and Recent Data Security Claims
The decision by plaintiffs to challenge the conduct of directors and officers concerning cybersecurity reflects this growth in the world of cyberbreaches and hacking. Thus, as the risk of a serious and damaging cyberattack grows, so too does the risk of a lawsuit against directors and officers. Indeed, the derivative lawsuits over the recent Target breach, Collier v. Steinhafel and Kulla v. Steinhafel, cite to the recent wave of cyberattacks striking American corporations and warnings promulgated by the Department of Homeland Security as evidence of why it is now reasonable to expect directors and officers to focus on cybersecurity issues.
In considering the events that give rise to most management suits against directors and officers, the so-called classics come to mind: mergers and acquisitions, initial public offerings, and the like. But it seems inevitable that cyberbreaches will give rise to an entirely new generation of shareholder and derivative suits—indeed, this began a few years ago. As of yet, none of the suits have resulted in a clear statement of directors' and officers' duties when it comes to cybersecurity. With cyberbreaches in the news nearly every week, this body of law undoubtedly will grow. However, until then, a review of the general duties of directors and officers provides a helpful backdrop for discussing allegations by plaintiffs in recent complaints.
In general, directors are responsible for ensuring the corporation is managed in the shareholders' best interest, determining the corporation's business strategy, and appointing and supervising officers to execute that strategy. In supervising management, directors are expected to establish major policies and procedures, evaluate management performance, review the corporation's financial status, prepare and submit information about the corporation and its financial condition to shareholders and government regulators, monitor and authorize securities transactions (including public offerings), and ensure the corporation complies with applicable laws and regulations. Directors owe the corporation (and through the corporation, the shareholder) three duties: loyalty, care in monitoring and directing the corporation's activities, and attention.
Of particular relevance to overseeing corporate cybersecurity, the duty of care requires directors and officers to make decisions based on reasonably adequate information and deliberation. The adequacy of their deliberative process, as opposed to the success of the result, is the focus of the duty of care. Directors and officers must discharge their duties with the care that an ordinarily prudent person in a like position would exercise under similar circumstances and in a manner they reasonably believe is in the best interest of the corporation. The duty of care also requires that directors obtain and review adequate information concerning board actions and generally supervise the corporation's business. In general, directors and officers are insulated from liability for their business or managerial decisions so long as they act on an informed basis, in good faith and in the honest belief that their actions were taken in the best interests of the company. The business judgment rule creates a presumption in favor of the board of directors of a corporation. It reflects the courts' recognition that it is in shareholders' economic interests to ensure that director decisions are made freely and without constant fear of litigation.
Under Caremark, a board of directors can be held liable for failing to appropriately monitor and supervise the corporation only where they have engaged in a "sustained or systematic failure" to exercise oversight—such as where the board members utterly fail to implement any reporting or information system or controls or, having implemented such a system or controls, consciously fail to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Thus, where directors make a "good faith attempt to be informed of relevant facts," they should not be liable for breaching their duties to monitor and supervise the corporation.
Plaintiffs' arguments in recent lawsuits may shed some light on how these duties might be applied in the context of cybersecurity. For example, a number of lawsuits have been brought against directors and officers as a result of what is perhaps the most notorious case in recent months—the cyberbreach that propelled Target into a windstorm of public scrutiny (one so extreme that its CEO was forced to resign and there have been recent calls to replace board members).12Collier v. Steinhafel, Case No. 14–00266 (D. Minn. Jan. 29, 2014), and Kula v. Steinhafel, Case No. 14–00203 (D. Minn. Jan. 21, 2014), are both derivative suits arising from this infamous breach.
The complaints in Collier and Kula are generally similar. Both allege that the directors and officers breached their fiduciary duties to the company by "failing to take reasonable steps to maintain its customers' personal and financial information" and failed to implement a system of internal controls to protect such customer information from a data breach.
These allegations were echoed in the more recent suit of Palkon v. Holmes, wherein a shareholder of Wyndham Worldwide Corporation brought a derivative suit against its directors and officers for data breaches occurring between 2008 and 2010. They also are quite similar to the allegations of fiduciary duty breaches made in Louisiana Mun. Police Employees Retirement Fund v. Alvarez, 2010 Del. Ch. LEXIS 160 (Del. Ch. July 14, 2010), which arose from a July 2007 intrusion into the computer system of The TJX Cos. Inc.
To date, very few securities class action claims have been brought against directors and officers over alleged failures to disclose cybersecurity risks and misstatements concerning the state of a company's cybersecurity preparedness. However, securities class actions seem inevitable, especially for any company whose business model is reliant on technology and cybersecurity. Moreover, in today's economy, companies are increasingly dependent on technology to reduce costs and offer customer service including e-commerce.
Entering the Unknown: What Steps Should Directors and Officers Take?
At issue in the recent directors and officers (D&O) lawsuits are the "reasonable steps" that directors and officers should be taking to pursue cybersecurity. Directors and officers have always been required to act prudently and reasonably in the management of their companies. Unfortunately, as the world of cybercrime is rapidly changing, what is "reasonable" cybersecurity is changing as well.
Adequate cyberprotection therefore requires executives to understand key aspects of cybersecurity, rather than simply allocate money toward security and delegate decisions to operational levels of their companies. It is essential, of course, for the board to ensure the corporation invests in systems, software, and personnel to protect its business from the ever-evolving methods of attack by cybercriminals. However, to ensure that the appropriate protections are in place to protect the corporation, the board must first understand generally the nature and location of the corporation's key information assets, including protected personal information, and the nature of the potential threats to the security of those assets (which may vary according to the company and industry).
The board also needs to understand and oversee the systems (policies, controls, and procedures) that management has put in place to identify, manage, and mitigate risks related to cybersecurity, as well as respond to incidents. With this base of general understanding, the board is then in a position to discuss with management the corporation's risks and whether its protections, procedures, and plans are sufficiently aligned with the corporation's business goals to best protect the corporation and its brand. In discussing cybersecurity issues with management, boards may find it helpful to review the recently released National Institute of Standards and Technology Cybersecurity Framework,13 which was designed to provide a framework to assist companies in creating and assessing cybersecurity preparedness.
Given the importance of cybersecurity, the board may wish to consider moving responsibility for cyberrisk away from the audit committee to a dedicated group such as a risk management committee. Some companies have opted to retain a single board member with cybersecurity expertise in place of a risk management committee. However, this approach risks the board deferring too readily to a single person's expertise.
Directors are entitled, of course, to rely on the advice of management and outside experts. If the board establishes a committee dedicated to cybersecurity, it may wish to include as an adjunct member a senior cyberrisk officer, such as a chief information officer (CIO) or a chief information security officer (CISO).
Although the practice of some companies has been to hire CIOs, some large organizations are hiring a CISO to have in place an executive whose principal task is information security. In late May 2014, JP Morgan Chase & Co., PepsiCo, and other Fortune 500 companies reportedly were seeking CISOs and other security personnel to strengthen their security defenses.14 Target, which did not have a CISO when it was attacked in December, recently hired its first CISO to oversee the company's technology risk strategy.15
Typically, in such an arrangement, the CISO reports to the CIO. However, this practice may also be changing in light of the heightened need for cybersecurity as some companies are choosing to select a CISO as a peer to the CIO. Part of the rationale behind this change is the belief that a CISO can be more effective when reporting to a CEO instead of a CIO. While a CIO is responsible for efficiency and accessibility, a CISO is responsible for finding security vulnerabilities. These positions therefore involve competing interests, because security measures may decrease accessibility. Other companies have chosen to have their CIOs report to CISOs. For example, at Booz Allen Hamilton, a military and business management consultancy, the CIO reports to the CISO as part of its plan to "be a model on how [to] handle risks."16 This may become a new trend, as may the increasing demand for CIOs to serve on public boards.17
With this as a backdrop, below are some specific issues the board should address:
Employee Education. Maintaining cybersecurity requires vigilance at every level of the organization. Nearly one-third of reported data breaches involve carelessness by employees.18 As organization security is only as good as the weakest point in any organization, the board should confirm that appropriate ongoing employee training is in place to heighten employee awareness of good security practices and minimize the possibility that wrongdoers can take advantage of employees through attacks that take advantage of human nature, such as through "phishing."
Breach Planning. The board should confirm and understand how management is prepared for a data breach or other cyberattack, reviewing at the board or board committee level the management's plans for addressing a breach to ensure the company is well prepared in the event a cyberattack occurs.
Vendor Oversight. The Target breach highlights the vulnerability presented by failing to monitor vendor access to corporate networks. Target gave network access to a heating, ventilation, and air-conditioning vendor that did not follow accepted information security practices. Cybercriminals appropriated the vendor's credentials to access Target's network.
Breach Preparedness and Management. The board should ensure that management has in place appropriate plans, systems, and personnel to detect a security breach promptly, if it should occur, and be prepared to respond to a breach. The board should evaluate management preparedness and, depending on the nature of the corporation's business, confirm that management has conducted simulations to prepare its response to a breach. In the event of a breach, the board should oversee actively the adequacy of management's response to the breach and focus on monitoring crisis communications and restoring customer relations. The board should also confirm that the company has appropriate training, procedures, and personnel to recover from any cybersecurity event.
Post-Breach Planning and Review. After a breach or other cybersecurity event has occurred, the board should act promptly to assess security gaps and evaluate the effectiveness of the corporation's current policies and procedures. This may include updating technology controls and policies and procedures, revisiting existing plans, making appropriate changes, and retraining personnel.
Disclosure Obligations. If a board serves a public company, the board needs to provide oversight of cybersecurity-related disclosures and disclosure controls and procedures. The October 2011 SEC staff guidance addresses the obligations of public companies to disclose cybersecurity risks and cyberincidents, which companies should consider when assessing and disclosing cybersecurity risks. Failure to do so certainly increases the risk that the securities plaintiffs' bar may bring an action against the board and the public company.
Cyberinsurance Purchasing. The board should address whether to purchase cybersecurity insurance and, if so, the appropriate amount to protect the company for the loss that might result from a data breach. Target has reported that it anticipates incurring $110 million in net expenses from its November 2013 data breach,19 which includes a $40 million recovery from cyberinsurance.20 On August 20, 2014, Target reported that since the data breach in the fourth quarter of 2013, it has incurred $236 million of gross expenses, which were partially offset by the recognition of a $90 million insurance receivable.21
Historically, cybersecurity has not been a priority for directors and officers, often taking a backseat to other concerns. Nevertheless, recent events demonstrate that robust cybersecurity is critical and that directors and officers should take an active role in ensuring that the corporation they serve is well protected. While courts have not yet provided guidance on the precise duties of directors and officers for cybersecurity, decisions addressing these duties will soon begin to emerge from the D&O suits that have arisen from recent cyberbreaches. Moreover, regulators and the plaintiffs' bar have clearly signaled that corporate management will be in their crosshairs if management is not proactive in addressing cybersecurity and the preparedness of their corporations for the nearly inevitable cyberattacks that will be coming.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
4 An April 8, 2014, New York Times article titled "Hackers Lurking in Vents and Soda Machines" notes that hackers have exploited vulnerabilities presented by the "countless third parties [that] are granted remote access to corporate systems."
10 Brunswick Group 2014, "Insight Analysis of Major Data Breaches at Publicly Traded Companies." See, e.g., Tom Huddleston Jr., "JP Morgan Says Massive Data Breach Affected 76 Million," Fortune, Oct. 2, 2014 (as of October 2, 2014, JPMorgan's shares lost 1.3 percent of their value since the end of August, when the attacks were first announced in August 2014).