In the following guest post, Paul Ferrillo and Chris Veltsos take a look at the latest consequences that companies are now facing following a data breach – a rating agency downgrade. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to thank Paul and Chris for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest article. Here is Paul and Chris’s article.
*****************
The list is long and ugly of public companies that have suffered large cybersecurity breaches — some preventable, some not so much — that have led to catastrophic consequences for those organizations. By catastrophic we mean:
- Regulatory investigations
- Cybersecurity litigation
- Securities litigation
- Derivative litigation
The biggest catastrophic consequence we have seen so far is the “cost to clean up the breach,” which aside from probably being an element of damage under many legal theories, can also turn out to be lots of bad things, like: (1) hundreds of millions of dollars of clean up costs, new equipment costs and upgrades to existing equipment; (2) short-term loss of sales and long-term loss of customers, which again could be severe; and, (3) consultant and expert costs to help the organization recover and try and move on to a better place. And most recently, one very large company, with one very humongous cyber breach was downgraded by Moody’s based, in part, upon the huge clean up costs that would be required going forward. The downgrade could also cost them millions based upon increased interest costs. As the Berkeley’s Haas Institute explains in The cost of credit ratings, as “ratings decline from AAA to A+ yields increase by an average of 6bp per notch. There are steeper yield increases once ratings fall below A+”. Will this ratings agency downgrade, post-breach, be the veritable “canary in the coal mine,” the red alert that someone will finally listen too before they do find them included into the “real bad breach” list? More on the “canary” story below.
Our introduction sets the stage for two areas. The first? What should boards of directors be worried about in light of the Moody’s downgrade? What questions (and answers) should they be focused upon to avoid this problem if their company gets hacked next week? And, given their risk oversight function, how engaged should they be challenging management and IT decisions concerning cybersecurity risk. Indeed, today for many companies, cybersecurity risk and securities law risk are very much inter-related, as we know from many publicly filed cases.
The second area that directors should be concerned about? Enterprise risk management (“ERM”) and cyber risk and its intersection. That’s what. Is the company’s ERM functioning taking into account the expanded risks associated with breaches, hacks and attempts to steal company data? Is the ERM function taking into account the fact that cyber risk affects (or here, infects) other areas of corporate risk? And does the company have insurance (and the “right” insurance) that covers the potential regulatory, securities, and litigation risks associated with breaches?
In short, is the recent downgrade of a company who suffered a humongous breach the proverbial “canary in the coal mine?” That we should all take heed to its warnings?
The board and cybersecurity
Let’s start from the proposition that if a company has data, and it is accessible over the Internet, then it will be a target for hackers. Today data is the gasoline for our economic engines. Data, in all its forms, can also be hacked or stolen by economic competitors (intellectual property) or by nation-states seeking an advantage over the United States. Either way, the theft of data is bad news for a company. The theft of large amounts of data can be disastrous.
So, what should board of directors be thinking about? Lots of things, but here are a few:
- Is the company fulfilling the basic requirements/standards and practices that are outlined in the NIST Cybersecurity Framework? Companies that enact established frameworks or standards are far more successful putting a holistic security program in place than those who do not.
- Is the company doing regular vulnerability and compromise testing to assess its network’s security and vulnerabilities? Fine-tuning its response capabilities also provides the additional benefit of working out the “muscle memory” of the incident response team.
- Is the company handling the basics well? Like patching known software vulnerabilities on a timely basis (critical vulnerabilities within 72 hours) or backing up the network or workstations on a daily or weekly basis. The case in point here is the recent City of Baltimore ransomware case. We don’t have all the facts yet of what happened, but the City’s computers have been down for two weeks, and it could be several more weeks by the time systems and services are fully restored.
- Does the company have the basic policies and procedures it is expected to have: an incident response plan, a privacy policy, a business continuity policy, a crisis communications plan, and a SEC disclosure plan pursuant to its recent 2018 guidance.
- Is the company using accepted methods like encryption or micro-tokenization to protect is most important and most highly sensitive data? Has the company deployed sensors to detect access to sensitive data and to get early warning of possible data exfiltration?
- Finally, does the topic of IT and cybersecurity get discussed at board meetings? If so, who attends the meetings? How often do those meetings happening? What is discussed? In sum, is the board is fulfilling its cybersecurity risk oversight duties? Or is it merely going through the motions?
How are discussions about cybersecurity impacting the considerations of cyber risk during the decision-making process?
This partial list is a good one for directors to think about. Its not exhaustive, but it proves the point that cybersecurity is really about doing the basics well, like backing up your network properly, and getting ready for when a serious incident happens. Little things like that, if ignored, might give you weeks or months of anxiety like Baltimore.
ERM, Cyber Risk and Insurance
After the Financial Crisis, the phrase, “enterprise risk management” took new meaning again. NCState’s Poole College of Management defines ERM as “[t]he objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business.”
Though early ERM profiles accounted for “IT risk,” we can be sure that it was not to the extent it should be today. Meaning it is not only the cost of data loss to clean up, but the loss of critical IP or customer data, and the real costs associated with follow-on cyber litigation, privacy litigation and securities litigation. Today, cyber risk could also be business interruption expense too. Whether it’s a day, a week, or six weeks loss to the company, a cyber attack can severely disrupt a business and its sales or manufacturing cycle (cf. Cyberattack cost Maersk as much as $300 million and disrupted operations for 2 weeks).
It is well settled that the oversight of enterprise risk management is generally a board duty:
Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk — and there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.
[…] boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.
[…] directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management.
— Commissioner Luis A. Aguilar, NYSE address June 2014
The thing about fully engaged risk management program is that risk can be prioritized and remediated, or it can be controlled to a tolerable level based upon the risk appetite of the company. But today, how on earth is the company or the board supposed to understand the breadth of the IT risk associated with a major hack on its business? Cyber risk invades everything, in both positive business ways (like, e.g. the enormously valuable cloud platforms), and in negative risk ways, like the company that was just downgraded and has, in addition, tens or even hundreds of lawsuits pending against it. How does the hack of the most critical IP of the company (say, e.g., the plans to a new fighter jet) get valued? And the reputational cost to an organization of leaving millions of pieces of customer data unprotected “in the wild” for anybody to see, and anybody to steal?
And how does IT and cyber risk invade the general risk of the company and its directors and officers? How does cyber risk impact reputation risk? How does reputation risk affect securities law risks? With its oversight duties, the board must guide management through the risk identification and risk avoidance exercise. It must do its best to both control and remediate the risk that are identified, and then it must see to it that the company insures with a reputable carrier the residual risk associated with large cyber attacks. To the extent that it does so, it is hopefully mitigating the risk of a securities class action or derivative action. Or at worst, the risk of a major uninsured loss that affects the balance sheet.
There is no good answer to this question of how to insure the residual risks of a cyber attack to the company other than follow the metrics that are publicly available. That is certainly one way to do it. See for example our view of securities law market capitalization risk in Six Avoidable Problems Directors Can Have With Their D&O Insurance. Our metrics give a common sense approach to securities law damages that might be associated with a major stock drop following a cyber attack.
There are also a plethora of methods and statistics that are now available on the cybersecurity side to understand the cost of breach cleanup, investigations and litigations. See for example the Ponemon Cost of a Data Breach Study 2018 sponsored by IBM, which notes “[t]his year we found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages:
The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent
The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent
The average size of the data breaches in this research increased by 2.2 percent.
Organizations can leverage the Ponemon study to benchmark the purchase of standalone cybersecurity insurance. And while using those per-record and average breach costs may result in very high estimates, organizations must face the reality that there are now demonstrated losses approach a billion dollars in some of the bigger cybersecurity breach cases.
If a data breach reaches catastrophic proportions, the impact will ripple well beyond the cyber domain: when the large breach is disclosed to the markets and investors it can become a market capitalization risk. Investors are then likely express their displeasure by selling their shares and causing a sharp stock drop. Shareholder derivative actions can cost a lot of money to settle as well. How would you attach a dollar value to this risk? Are you in a position to absorb this level of loss? Most probably no, unless you have purchased a lot of D&O insurance to cover potential market capitalization drops and shareholder derivative litigation alleging breach of fiduciary duty. And please buy the D&O insurance from a recognized brand name carrier that has a demonstrated claims paying and claims handling reputation.
You might ask why we are advocating a lot of insurance in our cybersecurity breach analysis. Because we have been in the trenches of cases. We have seen how expensive they can be. We have seen corporate reputations be severely damaged. And if you don’t have a billion dollars in cash on your balance of case to litigate and settle these bigger, messy cases, you might another risk on hand: insolvency risk (cf. Cambridge Analytica Bankruptcy Shows the Perils of Data Security Breaches).
The true story of the canary in the coal mine goes back to 1911. Coal miners would bring canaries in coal mines to detect carbon monoxide and other toxic gases before they hurt humans (cf. The Story of the Real Canary in the Coal Mine). The canary and later other animals (like mules) were used for many years until automation and automated sensors and alerts allowed them to be retired from active service. Think of these automated warnings like an automated fire alarm today, telling office building residents it’s time to evacuate their floors to go below the fire.
We have had warnings before that cyber breaches for public companies were bad news. With regulators like the SEC sending a clear signal that “enough is enough.” The recent rating agency downgrade makes it worse news. Indeed, we have had a lot of warnings over the past two years. The downgrade should be viewed as the canary in the coal mine. That cyber “canary” is now “coughing” right now. The cyber warning lights are blinking red again. It is certainly time to take action.