Cyber attacks finally grabbed the attention of executives and board directors in 2014 when Institutional Shareholder Services recommended seven of the 10 board members at Target not be reelected because they failed to ensure the company’s digital assets were protected against a data breach.
Despite the proxy advisor’s recommendation, shareholders reelected the directors, but the message resonated: boards and senior leaders could no longer leave cyber risk management to IT staff.
This is definitely a shift in thinking, and the insurance industry has been seeing evidence for a while. When boards and senior management began pulling risk managers aside and asking if the organization’s cyber risks were under control, risk managers, in turn, began calling their agents and brokers to discuss cyber insurance and trying to understand an area where they had no baseline information. Increasingly, IT or security personnel were summoned to report to the board or a board committee on how they were managing cyber risks, and directors strove to ask interesting questions as proof they were exercising proper oversight.
Boards also became more aware of cyber-security standards and best practices, including the following:
- The Payment Card Industry Data Security Standard is the set of technical and operational requirements for credit card data. The PCI standard was developed by the major credit card companies and applies to all merchants accepting or processing credit card transactions. Financial institutions that have to cover fraudulent charges or reissue credit cards to consumers whose cards were affected can seek indemnification from the breached merchant under this standard. Target paid more than $39 million to settle such claims.
- Some cyber-security standards are mandatory and codified in federal regulations, such as the HIPAA Security Rule (applicable to personal health information) and sector-specific regulations, such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection security requirements for utilities engaging in electrical generation, transmission or distribution. Penalties and fines associated with violations of these standards can run into the millions of dollars, and they are usually accompanied by unwelcome headlines.
- There are several other information security standards that may apply to organizations, such as National Institute of Standards and Technology’s Federal Information Processing Standards and guidance that are applicable to certain government contractors and the cyber-security requirements imposed on financial institutions. Due to the nature of their operations, some organizations have to comply with numerous standards, making cyber-security compliance a complex undertaking.
While boards and executives are now generally aware of the cyber-security standards applicable to their operations, many are not aware that standards have been developed that apply to the board itself in the governance of cyber risks. Only recently have boards begun to realize they actually have roles and responsibilities for cyber risk management that are defined by internationally accepted best practices and standards.
The Information Systems Audit and Control Association has been a frontrunner in IT governance best practices and founded the IT Governance Institute (ITGI) in 1998 to advance the governance and management of enterprise IT. The ITGI’s Board Briefing on IT Governance (2nd edition) has served as a guidepost for many boards trying to understand how to manage digital risks within their organization. The publication, however, focuses more on IT risks than cyber-security risks. As IT systems have become increasingly vulnerable through networking and internet connectivity, securing these systems is an essential element of IT governance.
Just months before the Target breach in December 2013, the International Organization of Standardization and International Electrotechnical Commission published ISO/IEC standard 27014 on Governance of Information Security. The standard sets forth actual roles (called principles) and responsibilities (called processes) for board directors and senior management in governing cyber-security risks. The standard notes that “the key focus for the governing body is to ensure that the organization’s approach to information security is efficient, effective, acceptable and in line with business objectives and strategies giving due regard to stakeholder expectations.”
ISO/IEC 27014 is not the only standard for cyber governance, however. Governance requirements are mandated by the Federal Information Security Management Act and have been integrated in NIST guidance (Special Publication 800-100). The Federal Financial Institution Examination Council’s Cybersecurity Assessment Tool has an entire section on cyber risk management and oversight, with controls specified for baseline, evolving, intermediate, advanced and innovative governance. The New York State Department of Financial Services’ Cybersecurity Requirements require an annual signed certification of compliance by the board chairman.
These standards for information security governance should be taken seriously and adopted in board and executive processes. Directors and officers have a fiduciary duty to protect the assets of the organization and the value of the company. The increased dependence upon IT systems necessarily extends this duty to include the protection of the organization’s digital assets (data, networks and software). Fiduciary duty lawsuits were filed against directors and officers of Target, Wyndham Hotels and Home Depot following major breaches at these companies. Although these suits have not fared well in the courts (each suit was dismissed on various grounds, but some settled on appeal), the plaintiff’s bar can be expected to become more experienced in standards and best practices and may increasingly point out board failures to comply with the standard as a basis for its claims. Unlike these fiduciary-duty suits, a securities-based class action lawsuit was filed earlier this year against Yahoo’s board and officers after its disclosure of a breach of 1.5 billion user records.
In deciding cyber cases, courts have looked at how the board or board committee reviewed and evaluated the company’s cyber-security controls and protective measures, how many times cyber security was discussed, or how many cyber-security reports the board received. Those factors are a low bar compared to meeting the requirements of ISO 27014 or other governance standards.
Scrutiny of cyber governance can be expected to continue as attacks become more severe and business interruption costs mount. The recent WannaCry and Petya malware attacks that hit companies around the globe, for example, created significant business interruption for affected companies and, in some instances, required substantial remediation efforts.
The best strategy in countering cyber attacks—and the ensuing lawsuits—is to plan for them. Brokers, agents and risk managers should examine their own cyber coverage, including the extent to which current D&O or cyber policies cover these types of lawsuits. They also should review how boards and executive teams they work with are governing cyber security, including whether they have implemented ISO/IEC 27014 or other best practices for governance, and raise awareness of governance standards.
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org