2016 Is The Year of Cybergovernance: How Directors Can Protect Themselves and Their Companies

Beijing is accelerating the Chinese economy by short-circuiting the time and cost of innovation. This hacking problem remains hidden because many U.S. companies won’t go public for fear of being cut off from the lucrative Chinese market. In the face of these revelations, what path should a corporate director take in 2016?

A recent segment of 60 Minutes described how the Chinese government steals intellectual property from American companies. In one example, an email with an attachment was sent by a corporate director to several management leaders; they all opened the attachment that ultimately enabled entry into the company’s most valuable information.

The Great Brain Robbery

 
The SEC, FTC, and the courts have made it clear that cybersecurity is a board responsibility. For example, the prominent proxy advisory firm Institutional Shareholders Services (ISS) urged the ouster of most of the Target Corporation directors because of their “failure… to ensure appropriate management of [the] risks.” SEC Commissioner Luis Aguilar, quoted by the Harvard Law School Forum last September, stated “there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.”

If the personal liability risk to directors is so clear, why aren’t more boards protecting themselves? Here are 4 common reasons and how to take corrective action:

1. Dealing with cybersecurity is outside the comfort zone of non-technical directors.
   Is there a more complex issue than cybersecurity? Directors are typically chosen for their financial, legal, or business acumen, so expecting them to comprehend the nuances of cyber risk well enough to make a difference is unrealistic.

   Take Action: Ask for automated, regular assessments based upon well-accepted industry standards for measuring cyber risk, like those from NIST and DoE. A breakthrough realization for directors is that cybersecurity is not just a technology issue. Directors can govern cyber risk just as they would any other business risk. Seeing a cybergovernance dashboard based on standards enables directors, management, and security professionals to communicate about common and well-understood, risk-preventing business actions.

2. It’s easier to ignore or pay lip service than to take action.
   Knowing the relative maturity of the cybersecurity program is as much a fiduciary duty as reviewing financial progress. Incredibly, many board meetings don’t include cybersecurity as a regular agenda item, and even those that do may include a report that focuses on arcane security metrics and tactical, technology issues. Boards shouldn’t simply thank the provider of the report, then move to the next agenda item without understanding what they’ve seen – but it often happens.

   Take Action: Insist on an automated process to assess and track enterprise-wide progress toward cyber attack readiness. While risk management policies and technology need to be in place, the NIST Framework identifies two other dimensions that we call “risk culture” and “risk influence.” Creating a risk culture requires engaging all parts of the organization (e.g., HR and Procurement) to become knowledgeable about what they can do to reduce risk; managing risk influence requires assessing and tracking the level of risk introduced by partners and vendors.

3. A director may fear incurring significant personal liability by getting involved in cybergovernance.
   The legal terms “prudent oversight” and “duty of care” describe a director’s fiduciary responsibilities. While a director must encourage mitigation of all forms of risk in order to stay protected behind the corporate veil, they can go too far if they actually run the company and thereby increase their personal liability.

   Take Action: Stop taking a a “head in the sand” approach that doesn’t solve the problem. A cyber event may outweigh all other forms of risk, so avoiding involvement may incur as much liability as doing too much. Prudent oversight requires understanding and tracking steps that the organization takes to mitigate cyber risk, while not prescribing the precise technologies used.

4. Boards believe that Directors and Officers (D&O) insurance is all the protection they need after a cyber breach.
   No prudent director accepted his/her position without requiring indemnification against litigation brought against the company. Often, they assume this protection includes cybersecurity lawsuits as well, but D&O (directors’ and officers’ insurance) providers are increasingly uncomfortable about this issue. Some D&O policies have “carved out” cyber breaches because (a) historical data on cyber breach damages is inadequate to estimate cyber risk, and (b) risk from a cyber breach may dwarf other sources, something unanticipated when the D&O policy was issued.

   Take Action: Clarify your D&O provider’s cyber coverage, then ask management to regularly assess cyber maturity so that it can be reviewed and tracked by the board. Cyber risk is not just a technology issue. It can be – and should be – reported in non-technical terms accessible to anybody familiar with business.

A recent NYSE survey of 276 board members in late 2015 found that 60% of respondents expect an increase in shareholder lawsuits against companies due to cybersecurity issues, while 72% expect more cyber-related regulation – in the near future. Moving to institute effective governance of cyber risk in advance of lawsuits and regulation makes good business sense, and it represents prudent oversight and duty of care by the board.

2016 is the year to take action to protect the board and the company from cyber breaches.