Building a Cyber Governance Framework
We begin 2022 in the scariest cyber environment we have ever encountered.
The past year brought us record ransomware attacks, extremely sophisticated malware, and the highest level of nation-state involvement in cyber attacks. It is not going to get any better in the foreseeable future, making the need for leadership in managing cyber risks all the more pressing.
Cyber governance has been pushed toward boards of directors and C-suites for more than 20 years, but it has been slow to take hold. That is now changing. The importance of cyber governance has been elevated over the past few years due to:
- Increased sophistication of cyber attacks, resulting in significant business interruption losses and theft of confidential and proprietary data
- Information security governance standards and best practices that require specific actions from directors and senior management
- Increased legal and regulatory requirements mandating governance of information security
- A flurry of cyber-event driven shareholder derivative and securities class action litigation
- Recent holdings in Delaware case law that collectively work to narrow, under certain circumstances, the deference given to boards, particularly with respect to meeting their duty of care and duty of loyalty.
The first challenge that directors and officers face is trying to understand what they really need to know in order to properly exercise oversight of cyber risks. They do not need to understand the technical ins and outs of all types of cyber attacks or the details about the company’s IT systems and hardware, but they do need to know how to govern privacy and cyber-security risks.
What Boards Need to Know
There are three areas that boards and senior executives need to understand in order to appropriately govern cyber risks:
- Current threat environment, including types of cyber attacks being conducted and those likely to hit the company, internal operational factors that can increase cyber risks, and external factors that must be considered in cyber risk management
- Privacy and cyber-security compliance requirements
- Key elements of a cyber-security program and how maturity is achieved.
With respect to the current threat environment, cyber attacks have become sophisticated and may be multipronged. They may involve disruption of operations, loss or encryption of data, theft of confidential/proprietary data, corruption of data, massive malware infestations, etc. Industrial control systems are particularly vulnerable to attack, and internet of things (IoT) devices are usually easy targets because they are generally not well managed on networks. Understanding the threat environment helps boards and executives comprehend the cyber risks facing companies today and how they can impact operations or cause a significant loss.
Compliance requirements for privacy and cyber security are complex, particularly for organizations that operate globally. Directors and officers need to know the potential impact of these compliance risks (for example, high financial penalties, reputational impact, restrictions that reduce market share). All organizations should maintain a list of their privacy and cyber-security compliance requirements, including NDAs and contractual requirements.
Good cyber-security programs track cyber-security best practices and standards. Directors and officers need to know the best practices and standards that their organization must comply with and make sure the company’s information security program is aligned with them and key activities are performed. Risk assessments against these standards and best practices can determine the maturity of the cyber-security program, identify gaps and deficiencies in meeting control requirements, and serve as an indication of the maturity of the organization’s risk posture.
Cyber governance revolves around established best practices and standards, legal compliance requirements, and regulatory guidance. The International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) issued a standard for governance of information security, ISO/IEC 27014, in 2013 and updated it in 2020. Under ISO/IEC 27014, directors and officers have specific responsibilities for cyber security. Best practices for cyber governance have been established by U.S. government entities, such as the National Institute of Standards and Technology and the Federal Financial Institution Examination Council (FFIEC). These best practices also set forth specific responsibilities for executives and boards. The FFIEC has a particularly good division of responsibilities between management and board directors.
Cyber governance requirements are also embedded in U.S. laws, such as the Federal Information Security Management Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act, and in state laws, such as the New York Department of Financial Services Cybersecurity Regulation and the South Carolina Insurance Data Security Act.
The Federal Trade Commission routinely includes governance responsibilities in its consent orders following investigations of privacy and cyber-security issues and its cyber-security regulations, such as the Red Flags Rule and regulations associated with laws. Regulatory guidance for IT and information security governance has also been issued by various government agencies and industry associations, such as the Securities and Exchange Commission, the Financial Industry Regulatory Authority, the Food and Drug Administration (medical device cyber security), the Healthcare and Public Health Sector Coordinating Council, and the International Air Transport Association.
Board responsibilities for the oversight of cyber risks vary from company to company, and this is often determined by the size of the organization. Small to midsize organizations may manage cyber risk at the board level, whereas larger companies tend to divide responsibilities between the audit and risk committees. The risk committee generally takes the lead in identifying and managing cyber risks as part of their enterprise risk management responsibilities, and the audit committee reviews aspects of the cyber-security program and ensures controls are appropriately implemented. Whatever way these responsibilities are managed at the board level, they cannot wholly be delegated to management; responsibilities need to be divided between top management (oversight) and the board (management and execution of risk strategy).
Board-Focused Cyber Litigation
Directors have a fiduciary duty to act in good faith with a duty of loyalty and duty of care. This fiduciary duty extends to the protection of data, IT networks, and systems. The 1996 Delaware Caremark Derivative Litigation case set forth important case law regarding a board’s duty to ensure that it has adequate information flows to enable it to meet its fiduciary duties. Caremark has been considered one of the most difficult cases to win, in that the plaintiff essentially has to prove that the directors acted in bad faith because they completely failed to implement an information and reporting system. In a cyber context, showing good faith and duty of loyalty could be interpreted to mean that boards have identified key cyber risks and established adequate information flows and reporting about these risks and monitored them.
In 2019 and 2020, however, Delaware courts issued four opinions that collectively work to narrow, under certain circumstances, the deference given to boards, particularly with respect to meeting their duty of care and duty of loyalty. The cases made clear that boards must make a good faith effort to establish a board-level system of monitoring and reporting and regular review of key risks. This is especially important for companies in highly regulated industries or with significant compliance requirements. Although early derivative cases were dismissed, settlements in recent cases indicate they may continue to be filed and may sweep in privacy violations and regulatory action. The Delaware Supreme Court has noted the “necessary conditions” for assessing director liability are (1) failure to implement reporting or information systems or (2) after implementing such a system, the directors failed to monitor it and oversee operations.
Building the Framework
The most important activity directors and officers can undertake to manage digital risk is to establish a cyber-governance framework that enables them to meet their fiduciary duties, protect digital assets, ensure the organization meets its privacy and cyber-security compliance requirements, and avoid litigation. A cyber governance framework should be established that meets ISO/IEC 27014 requirements or other best practices, with responsibilities divided between directors and executive management.
The first step is an analysis of operations, the cyber-security program, and key privacy/cyber-security compliance requirements. This activity will enable critical cyber risks to be identified and ranked. The next step is to identify the essential information that directors and officers should receive to monitor these risks and stay informed. The third step is to develop a risk transfer strategy and define the cyber risk thresholds for the organization. Finally, boards need to take care to ensure their cyber governance actions are properly documented and copies of all documents used or provided to the board or committees are properly filed in a repository.
Cyber risk management needs to be integrated with enterprise risk management, and the risk manager plays an important role in ensuring that the organization’s risk strategy and insurance coverage appropriately addresses cyber risks. Agents and brokers can work closely with risk managers and board committees to see that all insurance policies—cyber, property and casualty, general liability, D&O, etc.—are written to cover the identified risks and that coverage levels are appropriate.