Cyber Security Implications for Directors and Officers
At this stage, nearly every executive is aware of the prevalence and indiscriminate nature of cyber threats, including DoS (Denial of Service) attacks and the theft of proprietary and confidential information. In terms of the frequency and severity of cyber-attacks, 2016 was the worst year on record, with seemingly no entity spared from hackers’ crosshairs, including many governmental bodies, nonprofit organizations, and (notably) presidential campaigns.
What’s the Exposure?
New legislation has intensified the risk exposure, especially for those organizations beholden to their shareholders, customers, and community. Due to new statutes and regulatory scrutiny, courts have favored higher damage awards for actual or perceived negligence; many of which stem from derivative suits (lawsuits filed by shareholders) against Directors and Officers, alleging inadequate preventative and response measures. Most notably, perhaps, are the instances where there have been no measurable out-of-pocket costs to customers or shareholders, save for the exposure of confidential information or the perceived residual loss of a company’s value. The latter is defined namely by a loss of goodwill (which many corporations carry as an asset on their balance sheets), lost efficiency and increased expenses, the exposure of intellectual property, and downwardly revised valuations from analysts.
What Can Directors and Officers Do?
Directors and Officers, due to their fiduciary duties, are presumed to be acting on an informed basis, in good faith, and in the shareholders’ or stakeholders’ best interests. As such, liability can be determined not only by how problems are anticipated and prevented, but more importantly, how Directors and Officers respond to suspected and confirmed breaches. In order to best insulate against cyber-related lawsuits, Directors and Officers should take the following steps:
- Receive input from outside the organization. Expertise from external IT vendors or consultants should be leveraged, as their perspectives will be largely unbiased and would be more suited to detect shortcomings to which internal IT staff have become accustomed. The use of third party attorneys in the wake of a breach, namely for investigative and strategic defense purposes, are preferable. If in-house counsel is exclusively used, the Attorney-Client privilege won’t be as robust, thereby jeopardizing confidential and potentially damaging information.
• Develop robust preventative and response measures. Defined roles should be established for each department, as it relates to the organization’s overarching cyber security framework. HR (policy and procedure), IT (technology infrastructure), Finance (insurance) , and Marketing (public relations) should be tasked with developing an action plan proportionate to their degree of responsibility for the organization’s well-being, both before an attack occurs, and in the immediate aftermath. Directors and Officers are in a unique position of leadership to direct such an initiative. A comprehensive breach response plan should incorporate federal and state mandates for notification of potentially compromised accounts, and include methods to proactively protect and indemnify affected parties. Meticulous documentation and record-keeping are an invaluable tool for creating a position of defensibility for the organization, should allegations of negligence arise. - Vendor outreach- In addition to ensuring that all parties in a supply chain are on the same page, inquiring about vendors’ own internal policies and security measures can help reduce the risk of backdoor access to an organization’s systems, via a more vulnerable third party.
- Insurance- Along with the proliferation of cyber-attacks, so has grown the cyber insurance marketplace. While insurance carriers continue to refine their products and pricing structures for cyber coverage, the demand for such offerings across all industry segments has grown. More and more companies recognize the threat posed by their reliance on technology, and seek a guaranteed method of recuperation after an attack.
Call Exude today to discuss the ways in which you can better protect your organization from cyber threats.