Coronavirus Response Requires D&O Review
As most organizations and governments closed their offices and ordered employees to work from home in response to the coronavirus, cyber criminals and nation states began taking advantage of workers who were suddenly easy targets.
This is not just an IT/information security problem; it is also a governance problem. Boards of directors and executives not only have to steer their companies through the unprecedented challenges associated with the coronavirus; they also have to review their governance of information security, business continuity plans, and risk transfer strategies to ensure that IT systems are secured and fraud and corruption are controlled. This is no time to dawdle; the threat environment has changed, and cyber attacks and fraudulent schemes are already impacting organizations around the globe.
Changes to the Threat Environment
The cyber threat environment is constantly evolving, but the coronavirus was a boon to cyber criminals targeting people who are
- working without adequate training or policies in place for remote working,
- using personal devices that don’t have adequate antivirus software, may be shared with other family members, and have not been registered with a mobile device management tool, and
- accessing IT systems without two-factor authentication and via a virtual private network.
For example, recognizing that people were desperately searching for information about the virus, attackers created phony coronavirus news websites that distribute malware to visitors who click on them. Cyber reporter Brian Krebs said that cyber criminals have loaded a working version of the Johns Hopkins coronavirus global map with malware, so when users click on it, their computers get infected. Some phishing email campaigns have targeted healthcare workers and hospitals, pretending to provide health safety information or details regarding medical equipment shipments. When the links in the emails are clicked on, the user’s computer is infected with malware. Accenture recently reported on a wide array of COVID-19-themed attacks that have occurred since January, including phishing, spam loaded with malware (malspam), and ransomware attacks.
Nation states have been at the forefront of coronavirus exploits. U.S. State Department officials have advised Congress that “the entire ecosystem of Russian disinformation is at play,” using fake online personas to exploit aspects of the pandemic. On March 16, Attorney General Bill Barr issued a memorandum to all United States Attorneys alerting them to online fraud involving fake cures for COVID-19, phishing emails posing as the World Health Organization and U.S. government agencies, and malware infecting mobile phones to track the spread of the virus. He ordered them to “prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic…[and] to work closely with state and local authorities….”
Taking quick action, the Department of Justice and the Commonwealth of Virginia announced a few days later the formation of the Virginia Coronavirus Fraud Task Force that would focus on fraudulent activities that try to profit off the pandemic and online scams that steal money from victims or install malware.
The attacks are hitting organizations globally. For example, the United Kingdom’s National Fraud Intelligence Bureau issued an urgent scam warning on March 6, noting there had already been over 21 cases of online fraud related to COVID-19, resulting in losses of over £800,000 in the United Kingdom alone. On March 17, the U.K. National Cyber Security Center issued an online guide to help organizations prepare for home working and defend against fraudulent scams. On the other side of the globe, the Australian Competition and Consumer Commission has detected more than 100 coronavirus-related scams since the first of the year.
Boards and executives cannot assume that IT and cyber-security personnel will simply enable the organization’s workforce to continue business operations from home and they can continue to govern as usual. These dramatic operational shifts require officers to manage the risks associated with these changes as part of their governance responsibilities.
This is not a general concept; there is now an ISO standard for the governance of information security, ISO/IEC 27014, with similar provisions in other leading cyber-security best practices and standards. In addition, there are numerous laws and regulations that impose clear cyber-security governance responsibilities on directors and officers as compliance obligations.
At a minimum, directors and officers of companies that have been impacted by the coronavirus need to give close attention to the following issues.
Amending the cyber-security program > Directors and officers must ensure that their organization’s cyber-security program is appropriate, is in alignment with best practices and standards, and has controls that are effectively securing data and systems. This means that directors and officers must ensure the cyber-security program is reviewed and amended to accommodate operational changes; working from home; shifts in roles and responsibilities; changes in access controls, systems and event monitoring; changes in incident response and reporting; and revisions to backup and recovery, etc. Also, new software or vendor services that may be needed to manage the new working environment, such as mobile device management tools, logging and security event analysis software, or threat intelligence services, must be incorporated into the cyber-security program.
Maintaining compliance > Directors and officers must ensure their organization continues to meet its compliance requirements, irrespective of where the work is performed. Companies with regulatory requirements for technical, physical and administrative safeguards, such as healthcare providers and defense contractors, need to ensure these are in place for teleworking. Privacy policies may need to be reviewed and updated to ensure users are informed of operational changes that could impact their consent or how data are being handled or processed. And, irrespective of where employees work, breaches of data covered by privacy laws or the EU General Data Protection Regulation still must be reported, and victims must be notified.
Compliance officers also need to ensure ongoing compliance with the Foreign Corrupt Practices Act (FCPA), which prohibits U.S. companies and individuals from paying bribes to foreign officials as a means of retaining or obtaining business. Penalties under the FCPA as enforced by both the Securities and Exchange Commission and DOJ can be significant. “The coronavirus’s impact on business operations will put pressure on some individuals to get a sale completed, to get goods inspected or released, to procure scarce materials or goods, or to obtain government approvals—all points of temptation that would violate FCPA guidelines,” warns Frank Orlowski, president and founder of Ation Advisory Group and an FCPA expert. “Many FCPA violations or attempts at violations are traced through online communications, so additional controls may be needed to monitor and ensure FCPA compliance for an organization’s employees, contractors and customers,” he added.
Investor notifications > Directors and officers of public companies need to consider whether operational changes related to the coronavirus create material cyber-security risks that investors should be warned about. In its 2018 guidance, the SEC states, “It is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The risk factors listed by the SEC when considering material cyber-security risks include the probability of occurrence and magnitude of harm, the adequacy of preventive actions, aspects of operations that could give rise to such material risks, and potential for reputational harm. Operational changes implemented to accommodate coronavirus restrictions could impact each of these factors. On March 4, SEC chairman Jay Clayton reminded all companies that they should “provide investors with insight regarding their assessment of, and plans for addressing, material risks to their business and operations resulting from the coronavirus to the fullest extent practicable.”
Internal reporting and D&O monitoring > Generally, director and officer actions have been governed by the fiduciary duty of loyalty and the Delaware Caremark case, which essentially stated that directors and officers could be found to have breached their duty of loyalty only if they failed to make “a good faith effort to oversee the company’s operations.”
A June 2019 case, Marchand v. Barnhill, clarified Caremark and stated that the board has a duty to ensure that (1) there is a board-level process for oversight and (2) the board proactively monitors issues related to key operations. Since cyber-security requirements are now embedded in numerous breach and data protection laws and industry regulations, cyber security is now a key operational and compliance issue. Directors and officers should ensure that key cyber and FCPA risks are identified and that information on these risks is received in a timely fashion so the board can review and monitor them.
Review risk transfer plans > Operational changes made in response to the coronavirus will necessarily impact a company’s risk transfer strategies and how risks are to be absorbed, avoided and transferred via insurance. “Executives and boards will need to review risk plans and determine where coverage adjustments to cyber, property and D&O policies are necessary to meet their company’s specific risks and to protect the directors and officers,” notes Leslie Lamb, former head of Cisco’s Global Risk & Resilience Management.
Agents and brokers can help these organizations understand that the operational changes required to respond to the coronavirus go to the very heart of governance and risk transfer and that they may require changes to policies and limits outside of normal renewal periods.