Three Key Cyber Events
It is still hard to get more than 15 minutes of attention to the topic of cyber governance from directors and officers.
No wonder. A Ponemon/AttackIQ report released in September 2019 indicated that “only 28 percent of respondents say their board and CEO determines and/or approves the acceptable level of cyber risk for the organization.” Three important events over the past six months may force this to change.
> SEC Promotes Cyber Security
On Jan. 27, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released “Cybersecurity and Resiliency Observations,” highlighting some of the key cyber-security activities taken by public companies subject to SEC examinations. Governance and risk management got top billing.
OCIE notes at the outset, “Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.”
Although these recommended practices technically are not mandatory, all companies under SEC purview would be wise to take notice of the following six activities for effective governance and risk management.
- Director and Officer Time Commitment Devote adequate attention to setting the strategy and exercising oversight of the cyber-security program.
- Risk Assessment Conduct risk assessments that “identify, analyze, and prioritize cybersecurity risks to the organization” and take into consideration the business operations and potential vulnerabilities, including employees working offsite, operational and jurisdictional specifics, insider threats, and geopolitical risks.
- Policies and Procedures Adopt written policies and procedures that address the identified risks, then implement and enforce them.
- Testing and Monitoring Test and monitor cyber-security policies and procedures to validate and keep track of their effectiveness.
- Resiliency and Adapting to Changes Ensure the organization is resilient; promptly revise ineffective policies and procedures; address noted vulnerabilities, gaps and deficiencies; and appropriately involve board and executive leadership.
- Communication Establish internal and external communication plans to ensure information is relayed in a timely and appropriate manner to various audiences.
> Delaware Raises Governance Floor
The second major event to impact cyber governance was the Delaware Supreme Court’s June 19, 2019, decision in Marchand v. Barnhill, which increases the scrutiny boards must give to risk management and compliance. Since 1996, directors and officers have largely followed Delaware case law set forth in In re Caremark International Inc. Derivative Litigation with regard to meeting their fiduciary duty of loyalty. Under Caremark, boards were not judged liable for failing to exercise proper oversight of risk and compliance unless there was an “utter failure to attempt to assure a reasonable information and reporting system exists.”
In Marchand, the court interpreted Caremark as requiring “that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.” The existence of a compliance or risk management program is not enough; directors and officers must actively monitor it.
> Facebook Section 220 Litigation
The third significant event is related to litigation Facebook has been embroiled in regarding its privacy and cyber-security practices following the Cambridge Analytica scandal, which caused its stock to drop 19%, resulting in a loss of about $120 billion in shareholder wealth. Shareholders sued, claiming that, in connection with the Cambridge Analytica breach, the board and officers breached their fiduciary duty and failed to ensure compliance with the company’s Consent Decree with the Federal Trade Commission to maintain a comprehensive privacy program and safeguard the privacy of users’ data, conduct regular risk assessments, and make required disclosures regarding the sharing of non-public user information.
Section 220 of Delaware General Corporation Law allows shareholders to demand to inspect a company’s books and records. The law requires only a finding that the shareholder has a “proper purpose” for seeking to inspect the records. Delaware courts have interpreted this to mean there must be evidence that establishes a “credible basis” for the court to infer there were legitimate issues of possible waste, mismanagement or wrongdoing that warrant further investigation.” On May 30, 2019, the Delaware Court of Chancery ruled in favor of the shareholders seeking to review Facebook’s books and records in support of their claims.
In contrast with the high burden of proof set in the Caremark and Marchand cases, the “credible basis” standard is a very low burden of proof. For example, the presence of the FTC Consent Decree during the Cambridge Analytica breach was enough for the court, which stated there was “a credible basis to infer that the Board acted with disobedience by allowing Facebook to violate the Consent Decree,” even noting that “Plaintiffs have presented some evidence that Facebook’s directors and officers may have breached their Caremark duties, particularly in light of the Consent Decree in place at the time.”
The case sends a clear message that companies facing legal and regulatory cyber-security compliance requirements need to ensure their oversight gets heightened scrutiny—or the company’s books and records may be subject to review.
D&O Governance Going Forward
These three events demonstrate that companies need to ensure they have a cyber governance framework in place that meets OCIE guidance and cyber-security best practices and standards. Most importantly, key cyber-security risks need to be monitored by directors and officers to both protect the organization and provide a defense against shareholder derivative and securities class action litigation following major cyber incidents. Agents and brokers can use the following checklist for cyber risk management discussions with their clients.
Risk Committee Establish a risk committee at the board level to manage enterprise risks, including cyber. With today’s dependency on IT, it is foolish to think cyber risk management can be siloed. Although some companies place risk management within audit committees, the trend today is to have separate audit and risk committees.
Top-Level Policies, Roles and Responsibilities Two of the most important actions directors and officers are responsible for are (1) setting a culture of cyber security through high-level policies and (2) defining roles and responsibilities for cyber security and ensuring competent people are placed in those positions.
Risk Assessments Numerous laws now require cyber risk assessments, including HIPAA, the Federal Information Security Management Act (FISMA), Department of Defense procurement regulations, the New York Department of Financial Services regulations on cyber security, the National Association of Insurance Commissioners’ Insurance Data Security Model Law, and numerous state laws.
Regular risk assessments are the best barometer of cyber-security maturity and risk management. Risk assessments should include a review of vendor security, including a review of the Service Organization Control Report (referred to as an SOC-2 report) for key software-as-a-service, managed security service providers, or vendors that handle, store, or process confidential or sensitive data.
Large organizations should engage independent third parties to conduct assessments annually, while small and midsize businesses may be able to get by with one every two or three years (unless mandated otherwise by law or regulation). Directors and officers should review assessment reports and ensure appropriate remediation plans are developed and executed.
Governance Framework The establishment of a governance framework is the foundation of effective oversight of cyber risks. The risk assessment should identify key cyber threats and vulnerabilities that are serious enough to warrant monitoring by the board and senior executive team. Next, the organization should identify information flows that will inform directors and officers and enable them to monitor these risks. An effective governance framework includes unfiltered meetings and reports from the person responsible for the organization’s cyber-security program.
Cyber Risk Management Advisory Services Directors and officers should retain a competent third party to provide an independent perspective to the board and executive team during incidents and at other critical junctures, such as determining the cyber-security budget or infrastructure, system architecture, or vendor utilization. Ideally, this advisor should be able to also provide semiannual threat briefings to directors and officers to ensure they stay informed and the organization remains resilient.