Directors- please consider yourselves legally on notice. News headlines rife with the latest corporate hacking abound. From TJX Companies, Target, Sears and Snapchat, to Home Depot, Community Health Systems, JPMorgan and Miami-based Total Bank, every board of directors must adapt to a changing cyber world to protect their companies. The U.S. SEC Commissioner stated recently that boards must increase their role regarding cyber security, from upping technical know-how within the board to following up with proper notification and disclosure of breaches.
What follows is a brief overview of legal standards and best practices, regardless of the size or assumed risk profile of any given company and board. While this overview is not intended as legal advice and is provided for informational purposes only, we hope our identification of issues here will highlight the wisdom of conversing early on with counsel.
The goal is to prevent, mitigate, and promptly manage costs in the aftermath of a cyber breach. These costs include increases in existing customer turnover and challenges to new client acquisition activity and decreases in positive reputation and goodwill. They also include securities fraud class actions and shareholder derivative actions based on harm to the corporation through, for example, significantly decreased stock prices.
Recent lawsuits nationwide are focused on directors’ conduct before, during, and after a cyber security breach. These generally allege that directors failed to implement or update security policies and that they even increased damages by failing to timely disclose (or ensuring that management timely discloses) data breaches in SEC-related public filings.
These suits specifically implicate breaches of fiduciary duties, such as the duties of loyalty, oversight, and care, as well as waste of corporate assets, gross mismanagement, abuse of control, and unjust enrichment. Disclosure liability is also at stake and involves a company’s public statements about cyber security protection measures, its risk level for a breach, and the magnitude of a breach upon occurrence.
State and federal regulators are also increasingly investigating breaches. The Federal Trade Commission, for instance, will look into unfair practices for a company’s failure to adopt appropriate cyber security measures. The FTC will also investigate deceptive trade practices for a company’s failures to properly communicate if and how its practices deviate from its policies. The Food and Drug Administration is looking into cyber threats to medical devices. And there is an uptick in ongoing regulation and negotiations with the U.S. Department of Justice, State Attorneys General, and state consumer protection agencies.
Directors should strongly consider adopting the following best practices to protect the business and legal interests of their boards and companies.
Restructure the board
A director or a committee should focus on cyber risk management. It should be separate from the audit committee and report directly to the full board. Boards should recruit directors with IT governance and cyber security risk experience. Mandatory cyber-risk education is recommended for directors. As part of its Critical Infrastructure Cyber Community Voluntary Program, the U.S. Department of Homeland Security has identified some resources that may assist boards in implementing a director cyber-risk education program.
Consider appointing a chief information officer (CIO), chief information security officer (CISO) and/or chief privacy officer (CPO), and regularly meet with them to review expectations and plans. These officers should head a department centered on information privacy and security that includes employees solely responsible for cyber security.
Also consider appointing a committee responsible for privacy and security. Its members can include the above officers, plus senior management from various departments. The committee should meet regularly and afterward report directly to the board. The board should also require a cross-organizational team of senior executives to meet regularly on privacy/security issues.
If an outside vendor is brought in, the contract with the vendor must address key issues, including security requirements, warranties, applicable security standards certifications (such as PCI), audit rights, service levels, backup systems, data-destruction policies and breach notification. But even if the company can protect its data without outside experts, the board periodically should engage independent outside consultants to audit the company’s cyber security practices and report their findings directly to the board. The board then should review any differences between the recommendations of outside consultants and company officers.
Review budgets and processes
The board should direct adequate funds towards cyber security. It should also regularly review the company’s incident response programs. Internally, it should establish chain of command for stopping intrusion, securing networks, and implementing prioritized recovery. Externally, it should establish policies regarding breach notifications to governmental authorities, markets, and customers. The board should further evaluate the process and diligence involved in selecting the company’s cyber vendors and the adequacy of employee training on these issues.
Set standards
While standards vary by industry, the primary guidance source on widely-accepted best practices and standards is the National Institute of Standards and Technology (NIST) framework standards for cyber security. Regulators take into account the level of compliance with these. Secondary guidance sources include the International Organization for Standardization and the National Association of Corporate Directors, in conjunction with AIG and the Internet Security
Alliance. Standards should further be cross-checked with those of the IT Governance Institute and Information Systems Audit and Control Association (ISACA).
Specific measures can and should be instituted, such as requiring that a major software vulnerability be fixed within ten days of its identification. If not timely fixed, the company must explain any delay to senior managers and eventually to the board.
The board should ensure that the company has written security standards and practices as well as written breach-response protocols. The appropriate officers or committee, under the board’s
supervision, should periodically review and update these.
Oversee reporting systems
Actively monitor corporate performance by ensuring the company keeps sufficient reporting systems to keep the board informed of company risks and business performance. The board should oversee internal investigations, document due diligence, identify the laws of each state in which a breach’s effects are felt and/or impact such state’s residents (such as the Florida Information Protection Act of 2014), reconcile any interstate conflicts of law, and ascertain the proper timing and form to comply with notification requirements.
Disclose
Company statements, reports, disclosures, and other required SEC filings should cover past breaches, both material and executed as well as immaterial and attempted. Courts consider a failure to disclose cyber incidents a material omission per recent SEC disclosure guidance.
Insure
Review your company’s insurance policies to determine the level of existing coverage for cyber attacks. Like other types of insurance, cyber insurance coverage varies in important ways. Typical coverage options include Directors and Officers (D&O), Comprehensive General Liability, and Cyber Insurance Policies.
Assess the company’s cyber security risk profile and valuate potential losses to ensure adequate insurance coverage. Internal costs to cover include business interruption costs, legal expenses, loss of digital assets, and response costs. External costs to cover include third-party damages, credit-monitoring, and customer notification.
Buy or pre-negotiate D &O liability policies to cover damages for claims against directors and officers that may arise from privacy breaches before any cyber attack occurs. The board should consider supplemental insurance specifically for privacy-related liability. Consider counteracting a privacy exclusion by adding qualifying language that covers, for instance, oversight liability or securities claims.
Finally, check the company’s formation documents and insurance policies to ensure maximum protection of directors and officers against personal exposure. Consideration should be given to appropriate drafting of provisions in the company’s governing documents releasing directors and officers from privacy liability and indemnifying them for losses arising from such liability. In certain cases, exculpatory provisions in a company’s corporate charter document or bylaws (to the extent permitted by applicable law) may preclude the bringing of particular types of claims against directors and officers altogether. Lastly, indemnity agreements can provide for advancement of defense costs during litigation and cover any settlements or monetary judgments when the case ends.