Cyber Insecurity

Target’s board of directors is finally breathing a little easier. In July, a U.S. district court judge dismissed a shareholder derivative lawsuit filed in connection with the company’s 2013 data breach. 

This is just one of a number of suits filed against the directors and officers following revelations of the breach, most alleging the board had ultimately failed in its fiduciary duties of care and loyalty.

The legal morass seems to be over, but the costs and ancillary effects of Target’s large cyber-security events have continued. Following the July ruling, the plaintiffs still retain the right to seek attorneys fees and expenses. Countless examples like this signal the impact cyber-security issues and their associated costs will continue to have on corporate boards and officers.

Directors often rely on directors and officers insurance to offset costs when a lawsuit is filed against them. And Target’s experience, as well as others, have taught us that data breaches can, in fact, lead to claims against corporate directors and officers. Even if those claims do not succeed, the associated legal costs can have a staggering impact on the business. According to Ponemon Institute’s 2015 Cost of Data Breach Study, legal costs accounted for 20% of all data breach expenses, up from just 9% in 2009.

But the real challenge of D&O policies as they pertain to cyber-security events is there’s still very little data that demonstrate the actual risks boards directly face, making it hard for insurers to confidently write policies and adding an element of uncertainty for insureds over their protection.

Currently, most D&O policies don’t even mention cyber as a part of coverage. Large, public companies most often file claims submitted under their D&O polices when a third party alleges “wrongful acts” of directors and officers. And while cyber-specific exclusions aren’t common, data already show this norm might be changing. A recent Fitch Ratings Agency report warned that cyber-related risks put insurers at increased exposure. Recognizing the increase in cyber incidents and the potential for cyber D&O related actions, Fitch’s comments seem to indicate future D&O policies may see an increased trend in cyber exclusions.

And, there’s still no guarantee of coverage given some of the typical exclusions that already exist in policies, such as those involving regulatory investigations, prior or pending litigation, or bodily injury. In many cases, such exclusions may still apply and limit coverage in the event of a data-breach related claim.

As the legal system catches up with technology and D&O policy language continues to signal directors’ increased accountability for exercising appropriate governance and oversight on cyber-security risks, there is a greater need for board education about the real risks of cyber incidents in order to make informed and actionable decisions. As Scott Sinder, The Council’s chief legal officer, wrote in the July/August issue of Leader’s Edge, “At a very basic level, the board’s ultimate success or failure can be judged by whether it asks the right questions.” Adding to that notion is another critical piece in the board’s role—the ability to interpret and provide guidance based on the answers.

However, there’s still a wide gulf between expectation and reality. Another recent Ponemon study on the management of risk through training and culture found only 45% of companies make cyber-security training mandatory for all employees. Even more concerning: of those companies, almost 30% made exceptions for C-suite and C-level executives. If the first step is to institute a culture of security across the entire enterprise and maintain effective communication between boards, management and security leaders, training should be mandatory for directors and officers. This provision would set an example that security is taken seriously across the enterprise, and it would educate those who often have access to some of the company’s most sensitive information.

One of the ways we address these issues at CyberVista is by working with boards and executives to help them build a baseline literacy in cyber-security issues. Cyber literacy allows them to effectively evaluate all their other enterprise risks with cyber security in mind. In this way, they can understand and evaluate the updates they receive from their management teams. Boards with cyber literacy are capable of making more accurate assessments of the company’s risks as well as the board’s real risk of shareholder and derivative suits relative to those risks.

Board members respond well to interactive and actionable tools that help them think critically through the various facets of certain cyber issues without getting lost in the technical weeds. For example, we help board members learn how to quickly define and identify technical assets or information that comprise their company’s “crown jewels.” That knowledge is important when considering just how valuable each of those assets is to the business and what risk-mitigation strategies are needed to protect them.

We also help boards address cyber governance issues, including asking pointed questions of their management teams to ensure cyber security is integrated across all aspects of corporate operation. With integration in place, boards can make informed business judgments on how to avoid, accept, transfer or mitigate risks.

Ultimately, boards that can demonstrate their cyber literacy and fold it into their cyber risk decisions can offer more assurances to their shareholders and insurers that they have met their fiduciary duties.

In turn, as insurers and D&O policy providers work to better understand the real risks directors and officers face in this realm, they can use cyber literacy as part of their evaluation of risk and preparedness.