Tipping Point for Cyber Risk Governance – 2017 was the Year!

The Akin Gump Strauss Hauer & Feld’s annual survey of revealed directors’ major concerns:

• “The greatest threat to our markets right now is the cyber threat.”
• “The past year redefined the upward bounds of the mega breach, including the Yahoo!, Equifax and Uber hacks, and the SEC cyber-attacks.”
• “The stakes will continue to rise for boards in connection with cyber security in 2018.”
• “Cyber security preparedness is essential in 2018 as the risk of and associated adverse impact of breaches continue to rise.”

In 2017, the Cybersecurity Framework (CSF) developed by NIST evolved into a de facto national standard. The May Executive Order directing all federal agencies to report their cyber status to OMB using CSF, along with an expected ripple effect as agencies require vendors to follow suit, promises that this framework will eventually be enshrined in regulations. While NIST denies they were trying to define a standard, CSF rapidly filled the need for a common way to evaluate cyber risk preparedness across all industries, geography, and organization sizes and types.

Choosing in early 2015 to base its platform on CSF was a fortunate decision for leadership, but another 2017 event was even more significant for Cybernance. After a nine-month process during which DHS vetted our company and technology under the post-9/11 SAFETY Act, Cybernance was designated in April of this year as a Qualified Anti-Terrorism Technology (QATT). Organizations who use a QATT can substantially reduce liability for third-party legal actions. No other similar offering that manages cyber risk governance using NIST CSF has achieved a SAFETY Act designation.

As directors and executives are being held increasingly responsible for managing cyber risk, their liability has grown dramatically. The CEO and board’s major responsibility is to increase shareholder value, and cyber breaches represent a substantial threat to long-term growth. “Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent.” [Comparitech study, July 2017]

Average Stock Performance After Breach

After the Equifax breach was announced, the company lost $4 billion in market value, and its post-breach value still remains 20% lower than its pre-breach value. The actions taken since the Equifax breach was announced dramatically highlight the need for greater liability protection. Over 30 suits have already been filed against the company, with at least one alleging securities fraud. Shareholder derivative suits holding the board and executives directly liable for negligence are predicted to emerge in early 2018. The numbers will be staggering in any pre-breach negligence suit, far beyond the coverage of any normal D&O policy.

As concerns about the financial impact of breaches has grown, state governments have moved to encourage and mandate efforts to manage cyber risk. The cybersecurity regulations issued early in the year by the State of New York’s Department of Financial Services (NY DFS) are a significant step toward a Sarbanes-Oxley style mandate for cyber-related risk. NY DFS watches over financial services companies licensed by or operating in New York State. The new cybersecurity regulations apply to banks, trust companies, investment companies, insurance companies and brokers, mortgage lenders, and other financial services organizations. Influenced heavily by NIST CSF, they require key proactive steps to be taken by financial services institutions.

According to the National Conference of State Legislatures (NCSL), more than 200 bills have been introduced in over 40 other states to encourage stronger efforts in cybersecurity. “States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure, and more.”

The National Association of Insurance Commissioners (NAIC) comprises leaders of the insurance-regulating agencies of the states. Although each state governs the insurance operations that take place within its boundaries, the NAIC recognized the need for standardization of state insurance laws governing cybersecurity. In October, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law. Heavily based on the NIST CSF-based NY DFS Cyber Regulations, compliance with NY DFS will ensure compliance with the NAIC directive.

The development of significant cybersecurity breaches along with major legislation and regulations raised the bar in 2017 on cyber risk governance and awareness by corporate directors and executives, and being awarded the SAFETY Act designation by DHS as a Qualified Anti-Terrorism Technology was a significant achievement. 2018 will surely continue the efforts to combat cyberattacks and develop stronger internal oversight and cyber risk management.

What should we expect for cyber risk governance in 2018? Stay tuned. We will offer our thoughts in the next post.