Cyber security and the board of directors
June 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Cyber security has become an increasingly prominent issue of legal, reputational and financial risk for companies and thus for their boards of directors. According to one 2015 study, more than two-thirds (69 percent) of corporate directors reported that their board was more involved with cyber security in 2015 than it had been in the previous 12 months. While boards were reportedly more involved with cyber security issues, many directors also stated that their companies had not yet taken certain concrete steps with regard to cyber security, such as implementing a breach response plan.
It is understandable, given the ever-changing nature of cyber security threats, that many boards feel ill-suited to exert effective oversight for cyber security. For so long it has been delegated – or relegated – as “an IT issue”. But no longer. In order to demystify at least one aspect of such cyber uncertainty, in this article we highlight key issues that boards should understand about the current cyber security legal landscape and provide recommendations boards should take to mitigate legal risks related to cyber security. Board members must appreciate that their firms will almost certainly have data lost or stolen regardless of precautions, so an operationally and legally defensible security programme represents an achievable goal.
Increasingly complex – and global – legal cyber security landscape
It is not hyperbole to say that the legal landscape with regard to cyber security is growing in complexity and geographic scope. Within the United States alone, 47 states have laws requiring that companies provide notice to individuals affected by a security breach. A handful of states further require that entities implement reasonable security measures to protect certain types of data. Massachusetts mandates that businesses handling personal information implement a comprehensive written information security programme that addresses certain security fundamentals, such as employee training and regular information security programme audits, and last month the California Attorney General issued ‘guidance’ on what constitutes reasonable security.
Beyond state law requirements, multiple federal regulators in the United States have asserted authority within the cyber security space. The Federal Trade Commission (FTC) has effectively asserted itself as the de facto data security regulator at the federal level. Recently, the FTC settled with a hardware manufacturer that it alleged had insecurely designed its routers.
Still within the US, several other federal agencies have demonstrated their interest in regulating cyber security issues. These agencies include the Federal Communications Commission (FCC), Department of Health and Human Services (HHS), Department of Energy (DOE) and the Securities and Exchange Commission (SEC). For example, the SEC requires disclosures by companies under its regulation to file notice of any material security issues, and the agency has brought enforcement actions broker-dealers and investment advisors for not having policies and procedures in place that were reasonably designed to protect against anticipated threats or hazards to the security of customer information.
Regulatory interest in cyber security has also proliferated outside the United States. The recently adopted European Union General Data Protection Regulation (GDPR), published on 4 May 2016 and effective 25 May 2018, will require that businesses provide “sufficient guarantees to implement appropriate technical and organizational measures” to protect the personal data of their customers and employees. Unlike existing privacy and security regulations in the EU, the GDPR sets forth specific suggestions for the kinds of security guarantees that may be considered “appropriate”, including encryption of personal data and implementing a process for regularly testing, assessing and evaluating the effectiveness of security measures.
In the event of a security breach involving personal data, under the GDPR certain businesses will have to notify the appropriate regulator “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. If the business has determined that the breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also provide affected individuals with certain information “without undue delay”. After any such notice, the firm should expect governmental queries about the rigor of its cyber security programme.
And around the world – Germany, Israel, Canada and South Korea – prescriptive information security rules apply what typically appear to be quite sensible measures that in practice are often complex to implement and impossible to guarantee.
Organisations of all sizes and sectors, global and local, have been increasingly alert to these risks. For senior management and directors, the concerns of protecting customer and employee data, financial records, and valuable intellectual property all centre upon fundamental proactive steps, as outlined below. Because no cyber security programme is perfect, a more realistic goal is for one that is legally and operationally defensible.
First, understand the types of information assets you have and do not limit the inquiry to personal data. Second, assess the risks to those assets, recognising that the benefits of mobile devices, cloud services, vendors and sector-specific requirements must be considered. Third, tone at the top and the education of leadership are critical, so that all levels of the organisation appreciate the significance of the current digital environment. Fourth, prepare for the worst, because ‘it’ will happen to your organisation – and perhaps already has, regardless of your awareness. Develop security programmes and test them through audits and tabletop exercises, much as you would emergency preparedness generally. Fifth, while defending your information assets, appreciate the concept of resilience – that an organisation must be able to continue to function even while under attack, subject to ransomware or subject to an investigation. Finally, consider cyber insurance. Deloitte recently noted that the market for cyber liability insurance is expected to more than triple from an estimated $2bn in gross written premiums in 2014 to $7.5bn in 2020. This is important because many D&O and E&O policies do not cover the circumstances and costs arising from information at risk. These are collectively fundamental steps toward defending the firm against cyber losses and the subsequent legal claims.
No longer is cyber security and the protection of information assets simply “an IT issue” if it ever truly was one. Shareholders, regulators and company leadership are increasingly recognising this as a broader team sport and one that involves legal, financial and reputational risk.
Peter McLaughlin is of counsel and Michelle Anderson is an associate at DLA Piper. Mr McLaughlin can be contacted on +1 (617) 406 6010 or by email: email@example.com. Ms Anderson can be contacted on +1 (202) 799 4382or by email: firstname.lastname@example.org.
© Financier Worldwide
Peter McLaughlin and Michelle Anderson