Cybersecurity and the board of directors: avoiding personal liability — Part II of III
By Steven L. Caponi, Compliance Complete contributing author
NEW YORK, Aug. 6 (Thomson Reuters Accelus) – The first article in this three-part series discussed how legal principles governing directors’ fiduciary duties may be applied to cybersecurity and the risks posed by cyber attacks. To summarize, Delaware’s corporate law places an affirmative obligation on fiduciaries to keep informed of serious risks facing the enterprise. The failure to exercise appropriate oversight in the face of known risks constitutes a breach of the duty of loyalty, a breach that cannot be exculpated under 8 Del. C. §102(b)(7).
In Part II of this series, we explore the “red flags” placing directors on notice of their obligation to proactively manage cyber security risks, and that expose a complacent board to costly litigation and the specter of personal liability. When evaluating whether a particular issue warrants board consideration, directors and officers should look at the nature of the risk, its potential impact on the company, and the extent to which the risk is foreseeable.
It is no surprise that companies of all sizes have migrated toward an increasing dependence on digital technologies to conduct their operations. The scope of this dependence ranges from mundane documents (memos, invoices, advertising material), to confidential material (personnel files, customer data, financial transactions), to highly proprietary or strategic information (business plans, intellectual property, management of critical systems). As this dependence increases, so too does the risk of more frequent and severe cyber incidents. In a February 12, 2013, executive order, the White House noted that “cyber threats are one of the most serious economic and national security challenges we face as a nation and that America’s economic prosperity in the 21st century will depend on cybersecurity.”
The harm facing businesses from cyber attacks is staggering and can be wide ranging. The most obvious losses are those associated with recovering lost or destroyed data, notification, obligations, monitoring, forensic investigation expenses, and business interruption expenses. A 2012 Law and the Boardroom study found the average organizational loss from a data breach now exceeds $5.5 million, with U.S. businesses spending, on average, $8.9 million annually on cybercrime. Global cybercrime will cost companies approximately $300 billion to $1 trillion, in 2013 alone. For example, after a major credit card payment processing company suffered a cyber breach in 2009, the company and its officers and directors were forced to pay over $100 million in settlements to various business partners. Reputations, especially for large companies who are keen to preserve their names within an industry, can be hit hard or permanently damaged.
As if those numbers aren’t shocking enough, the resulting soft costs can be equally severe. Depending on the industry and nature of the data breach, companies can expect the value of their brand to decline by as much as 17 per cent to 31 per cent. There are also the business disruption expenses, as it takes an average of 24 days to identify and resolve a cyber attack at an average cost of roughly $500,000. To the extent that third-party data is involved, costs may include liability for stolen assets, repairs to information systems, and remediation expenses to address stolen identities.
For public companies, the injury resulting from a cyber attack will be felt by every shareholder. A recent analysis revealed that publicly traded companies who disclose a security breach can expect to see a 5-per cent drop in their share price within two weeks of their announcement. In 2011, Sony witnessed its stock price drop by over 8 per cent following a string of cyber attacks.
As one would expect, investors will be quick to file suit to recover the loss in stock value. Following a data breach, TJX was sued by investors, forcing the parent of TJ Maxx and Marshall’s to spend over $12 million in just one quarter on its breach response, legal, and other fees.
Likelihood of a breach
The number of cyber attacks is staggering and likely exceeds 1 billion attacks annually. The National Nuclear Security Administration disclosed that it alone experiences up to 10 million “significant cyber security events” each day. The 2013 Internet Security Threat Report by Symantec showed that in 2012, there was an average of nearly 200 substantial cyber attacks per day on businesses, with 576 confirmed breaches resulting in the disclosure of nearly 20 million records. According to a 2013 study conducted by Verizon’s RISK Team and its 18 partners, including officials from several governments over the past 9 years, it is estimated that over 1.1 billion records have been compromised by cyber attacks. Given the secretive nature of the attacks and reluctance of victims to disclose attacks or breaches, the available figures are likely just the tip of the iceberg.
Directors should not allow themselves to be lulled into complacency by thinking “my company is too small to warrant an attack” or “cyber attacks are focused on banks and technology companies.” Seeking to take advantage of every opportunity, hackers are nondiscriminatory, targeting large companies, small businesses, and government agencies with equal impunity. Symantec also found that in 2012, 31 per cent of attacks were focused on companies with between 1 and 250 employees. And although companies in the financial industry suffered 19 per cent of all attacks in 2012, manufacturing companies took the top spot by receiving 24 per cent of cyber attacks. Most alarming, nearly 25 percent of attacks were directed at the senior executive and the board of directors level.
Who is seeking to steal your corporate data? Everyone – or at least it seems that way. Cyber attacks are being launched by individual hackers stealing low-hanging fruit, organized crime groups looking for a big score, a political activist pushing an ideology, competitors practicing corporate espionage, and foreign governments seeking to bolster their economy or to engage in a form of clandestine modern warfare. Cyber attacks are truly an international crime unconstrained by national borders, undeterred by oceans, and requiring little more than a laptop, some know-how, and a good Internet connection.
The Verizon study also shed light on who is perpetrating cyber attacks. Contrary to popular belief, 92 per cent of cyber attacks, by volume, were perpetrated by people outside the organization, whereas only 14 per cent was conducted by insiders. Who are the 92 percent? They include organized crime (55 per cent), state-affiliated actors (21 per cent), activists (2 per cent) and former employees (1 per cent).
Although the nature of the attacks varies greatly, the motives generally fall within two broad categories: financial gain and espionage. Attacks motivated by financial gain originate mainly from organized crime groups who steal credit card information, access bank accounts, engage in payment fraud, and practice identity theft. In contrast, the vast majority of espionage attacks originate with foreign governments who seek to bolster their military or industry. These attacks focus on military or classified information, business plans, proprietary data, software, trade secrets and other technical or proprietary information.
Is the risk well known?
As the statistical data evidencing the severity of cyber attacks mounts, it is becoming a topic of daily conversation within corporate America, the subject of governmental action, and news headlines. Due to its high profile, in the event of litigation, officers and directors will not be able to claim with any credibility that they were unaware of the risks posed to their organization by cyber attacks.
On a governmental level, the need to protect business and national security assets has become a major focus of the White House, Congress and the Securities and Exchange Commission (SEC). The House of Representatives has been engaged in a continuing effort to pass cyber security legislation. Most recently the Cyber Intelligence Sharing and Protection Act of 2013 (PDF) was approved by the House Intelligence Committee. If enacted, the act would give the federal government a broader role in helping banks, manufacturers and other businesses protect themselves against cyber attacks. Not to be outdone, on February 12, 2013, the White House issued an executive order titled“Improving Critical Infrastructure Cybersecurity” establishing a “top-to-bottom” review of the federal government’s efforts to defend our nation’s information and infrastructure. For its part, the SEC Division of Corporation Finance has issued guidance instructing companies to disclose cyber attacks or risks associated with cybersecurity breaches if such attacks or breaches are likely to be material to investors.
Cyber attacks are also weighing heavily on the minds of senior executives in all business sectors. According to a survey by FTI Consulting, cybersecurity has become the number one concern for general counsel and directors. Specifically, the survey found the following:
- 55% of general counsel said that data security was their top concern
- 33% of general counsel believe that boards are not adequately managing cyber risk
- 47% of general counsel said that operational risks, such as cybersecurity, were their most pressing concern
Sharing the concerns of general counsel, numerous national and international corporate governance and technology organizations have recognized the need for boards to implement cybersecurity plans. These include the IT Governance Institute, the Information Systems Audit and Control Association (ISACA), the International Organization for Standardization, and National Institute of Standards and Technology.
The take away
The inescapable conclusion that one should reach after reading Parts I and II of this series is that cybersecurity belongs as an agenda item in every boardroom. The law places an affirmative obligation of oversight on officers and directors to manage significant known risks facing their company. Given their frequency, sophistication, and detrimental financial impact, cyber attacks squarely qualify as a significant risk and a clear “red flag.”
Unlike events such as the recent global financial crisis or collapse of the housing market, the tremendous attention being focused on cybersecurity – at all levels – will preclude corporate fiduciaries from claiming that a cyber attack and resulting harm to their company were unforeseen.
Officers and directors should consider proactive implementation of steps to ensure the cybersecurity of their organization. Part III of this series on cybersecurity and director fiduciary duties will discuss specific steps and best practices that boards can adopt in an effort to discharge their fiduciary duty.
(Steven L. Caponi is a partner at Blank Rome LLP. His national litigation practice covers all facets of business litigation, including corporate and IP matters, cybersecurity, M&A litigation, and securities litigation. He can be reached at Caponi@BlankRome.com.)
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)