As this blog’s readers know, there have been a number of management liability claims that have been raised against companies that have experienced cybersecurity incidents. In the following guest post by Paul Ferrillo and Chris Veltsos, the authors argue that cyber risk is in fact D&O risk and that the risk is growing. The authors also suggest a 10-step plan to grapple with the risk. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. My thanks to thank Paul and Chris for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Ah, another article about cyber risk you say? Time for a late summer snooze? Or time for a serious chat post Labor Day? We think a serious chat is in order.
Chris and I have been friends a while. We did not know each other during cybersecurity 1.0 – the early days. “Little House on the Server Farm.” This was when people really did not know what to expect about cybersecurity, its risks, its rewards and its tremendous downsides if ignored. There were a few reported breaches, but not many. People had heard of Stuxnet, but barely so.
We met during Cybersecurity 2.0 – the post-Target days. You remember them? The big retailer breaches had begun. Many more were soon to come. Directors knew there was a problem (“Houston, we have a problem”) but it was hard to put your finger on its pulse. Yes, a big breach. A lot of data lost. A lot of remediation costs certainly. But then what? Did directors and officers really know how bad things had gotten. Our guess is probably not. At that stage the civil litigations were less than serious. Cases were getting settled on the cheap. The privacy bar was in its infancy. We would call it “jumpball.”
Then “cybersecurity today.” We equate that to the Equifax breach. It was a case that hit 7.0 on the Richter scale. Something was seriously wrong. And we all knew it, including the public which was most affected by the breach. Congress knew it and held hearings with a just retired/sidelined CEO. Sidelined by cybersecurity. The plaintiffs bar also certainly knew this fact too.
Said one congress person at the time of the full-blown congressional hearings, “You can’t stop stupidity. You can’t legislate against it, but you can hold people accountable for it….” See Congressman on Equifax: Can’t legislate against stupidity but can hold people accountable
Paul has an expression for this new period we are in today: Cybersecurity 3.0 – “we really don’t trust you that much any more with our data. Step it up, or else!”
So what is the “or else?”
Here is what makes cybersecurity a serious, “pay attention to me or else” risk — the regulators are in high gear. After Equifax and continuing today, both federal and state and international regulators are all over cybersecurity, management and the board. First the regulation — the EU GDPR, NY DFS 500 and now California. But let’s now layer on the Securities and Exchange Commission too, with its anti-fraud and disclosure requirements on public companies. Then the fines started. First on the smaller side. Now on the tremendous side with the recent cyber breach and privacy fines against many of the name brand companies we speak about and write about daily. Those fines and penalties cause reputational damage. Those fines and penalties — and the mere fact of big breaches themselves — cause market capitalization losses. Those market cap losses cause securities and derivative action litigation to get filed. And so it begins:
Rule 1: cyber risk is D&O risk.
Rule 2: Under-appreciated cyber risk is major D&O risk, or even a bankruptcy-level risk. See AMCA Bankruptcy Filing in Wake of Breach Reveals Impact
Ok you say, we have this seen this before in corporate America, so what’s really so new? Oh, because these inopportune fines and decisions — even in other jurisdictions, like the United Kingdom and the European Union — will make their way into civil litigation in the United States, and will likely make it very difficult, if not unwinnable. Why? Because these fines and penalties tend to indicate “something was wrong.” And in some cases, something was seriously wrong. Those decisions end up as exhibit one in the securities class action. The privacy class action. The settlement papers. I saw this as a young lawyer. In many of my early securities cases, there were often occasions where the CEO or CFO was indicted early in the case. Or plead guilty. Though some of these cases had other factors to litigate, we often did not. We often could not. Because of reputation issues, many of those companies just didn’t make it past the opening volleys, and these were Fortune 500 companies.
Ok you say, so what? We survived right? Well, not so fast. Corporate America survived the Enron and WorldCom days because Congress and Corporate America woke up. And Congress passed a comprehensive set of rules leading with the Sarbanes Oxley Act of 2002 for both public companies and accounting firms. The rules had real teeth, real effects and real downsides if ignored. “The Sarbanes-Oxley Act of 2002 cracked down on corporate fraud. It created the Public Company Accounting Oversight Board to oversee the accounting industry. It banned company loans to executives and gave job protection to whistleblowers. The Act strengthens the independence and financial literacy of corporate boards. It holds CEOs personally responsible for errors in accounting audits… Section 404 requires corporate executives to certify the accuracy of financial statements personally. If the SEC finds violations, CEOs could face 20 years in jail… Section 404 made managers maintain “adequate internal control structure and procedures for financial reporting.” Companies’ auditors had to “attest” to these controls and disclose “material weaknesses.” See Sarbanes Oxley Summary.
For whatever rules Sarbanes Oxley gave us, it also gave us definitive guidance, rules of the road, a compliance check, real penalties, potential jail time, and real corporate responsibility and accountability for stopping corporate fraud. Having lived through the cycle, and the later the Financial Crisis, I can tell you that Sarbanes Oxley helped. A lot.
Today, corporate directors don’t have a Sarbanes-Oxley equivalent when it comes to cybersecurity. And that is the problem we need to grapple with. Right now. Today. Unless you are a federal regulated financial institution, advisor or fund, there is very little in terms of oversight and little in terms of ultimate corporate accountability. We have nothing like Section 404 of Sarbanes Oxley. And certainly, we have nothing like the Big 4, PCAOB driven accounting firms when it comes to cybersecurity oversight, compliance or review. We have a hodgepodge of cybersecurity vendors, from the very good to the “don’t go there.” This should not be comforting to a director of a name brand, data-driven company. Or any company. And just because you think you might have D&O or standalone cybersecurity insurance doesn’t mean you are ok. Indeed, you already probably don’t have enough limits of liability ready to face the threats of today, let alone those of tomorrow.
So now what should directors do? Think? And how should they react? Aggressively!
That was the wind up. Here is the pitch: an errant fastball high and tight. Almost on the jawline. Potentially catastrophic. But…. Maybe not. The Cyberavengers are here to sound the alarm, to point people and companies to safety. The world as we know it is under near-constant cyber-attack and so are your company’s systems. This is no time to stick your head in the sand. Now is the time to step up, to roll up your leadership and governance sleeves, and to get a grip on cyber risk.
Chris and I are planners. We are also educators. Here is our 10-step plan to help boards grapple with the increasingly ugly face of cyber risk:
- Recognize that we have a humungous problem here. Not a small one. Cybersecurity breaches are not black swan events. They are everyday occurrences. They can hurt. They can be terminal. They can shut the power off. And many cybersecurity events are not even reported publicly. Treat cybersecurity with the respect it deserves.
- Demand your company have some basic, fundamental approach to cybersecurity. The Cyberavengers basics: should be mandatory email filters/solutions, regular and timely patching, backing up your network, identity and access management tools. More details on our list of security basics.
- Has your company adopted the NIST cybersecurity framework? If not, why? It should. If plaintiffs’ counsel can cite the Framework chapter and verse in their complaints, company directors should be able to as well during board meetings.
- Does the board receive regular (quarterly) reports from IT and senior management? If not, why not? Reporting up is a big red flag. Not making adequate time to review these reports is also a big red flag.
- What do those reports say? Are they metrics based? Or full of nerd speak?
- Are risk assessments done on a semi-annual basis? Do they cover assets, threats, controls, effectiveness, risk, insurance, residual risk, risk appetite? Are the risks tracked, updated, and reviewed regularly.
- Are vulnerability assessments done on a semi-annual basis? Leverage automated tools to shed light on your most vulnerable systems. Then patch, quickly if you can. Otherwise document, isolate and/or monitor.
- Are compromise assessments done on a regular basis? If you suspect your company has been compromised, there is no time to waste. And if you think you haven’t, you should get a second opinion. A compromise assessment will check for sure, and give you insights into your company’s environment, its current performance on cyber hygiene, systemic risks, and just how effective your controls are. Psst: they’re probably not as effective as your CISO told you (unless they’re actually rigorously tested every quarter).
- Is employee training for spearphishing and social Media training done on a quarterly basis (or even more frequently)? Does this training and testing include managers and executives? Does it include board directors themselves?
- Finally does the company have a practiced and test incident response, business communication and crisis communication plan? If not, why not? The NIST Framework suggests those at a minimum.
We could have a list of 20 or 30 items, but the same points would still be applicable. Your company needs to have a regular processes, policies, and procedures to effectively manage its cyber security risk. If it does not, problems will surely surface. And like in Equifax, or AMCA or many others, those problems could turn catastrophic and cause directors to face liability for not requiring “a well-rehearsed plan.”
The ten-step plan above is a start, a baseline floor, with a lot of room overhead. Pick a framework (NIST CSF, ISO 27001, others) and embrace it. Embrace it fully. Yes, it will take time and resources, and a commitment for the long run. When it comes to cyber, inaction today gambles away your company’s future, its very existence. Your company’s cybersecurity doesn’t need to be perfect. Perfect is not what the law requires. Perfect should not get in the way of good. But you must attempt the good with reasonable efforts. There is no time to waste.