Increased Cyber Attacks Grabbing the Attention of Corporate Boards
The data breach that compromised 40 million-plus Target customers and its subsequent fallout in addition to other high-profile cyber security issues are gaining the attention of the boardroom across the country and across all industry segments. In fact, a recent article in the Wall Street Journal notes that “after a series of high-profile data breaches and warnings, corporate boards are waking to cyber threats, grappling with security issues they once relegated to technology experts.”
The article cites individual actions taken by giants Kellogg, Wal-Mart, Tyson Foods, and Delta Airlines to deal with the exposures and subsequent liability arising from cyber threats. When directors and officers now meet, the subject of computer hacking is on the agenda.
For example, Kellogg worries about threats from cyber attackers looking to get their hands on proprietary intelligence, such as what makes its Rice Krispies so crisp or the production process in making a Pringle. As a result, in 2012 the board created a dedicated security group and hired the firm’s first chief information security officer, cites the Wall Street Journal article. Tyson Foods briefs their directors on cyber security on an annual basis in addition to on as-needed basis. Delta Airlines, according to the article, added a board member in 2011 because of his “substantial expertise in the information technology security industry”.
These measures are needed to deal head on with the new normal of cyber liability. According to a Wall Street Journal analysis, so far this year, 1,517 companies traded on the New York Stock Exchange or Nasdaq Stock Market listed some version of the words cyber security, hacking, hackers, cyber attacks or data breach as a business risk in securities filings. That’s up from 1,288 in all of 2013 and 879 in 2012.
What’s at stake for directors and officers who don’t take cyber security as seriously as they should and elevate this issue to the boardroom?
Simply put, job security. Look what happened after Target’s data breach and other missteps. The retailer fired its chief executive, and its chief information officer resigned. Moreover, a shareholder advisory firm recommended getting rid of most of the board. (Target investors didn’t follow this recommendation, however – they recently re-elected all 10 of the retailer’s directors.)
SEC Commissioner Addresses Cyber Security and the Role of Boards
Cyber security as a top-of-mind issue for board members was the topic of discussion in a speech given last month by SEC Commissioner Luis A. Aguilar. In his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” delivered at the New York Stock Exchange, Aguilar highlighted the critical importance of the involvement of boards of directors in cyber security oversight. He emphasized the “widespread and severe impact that cyber attacks could have on the integrity of the capital markets, infrastructure and on public companies and investors.” In light of these risks, he said that “effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber attacks and, ultimately, to protecting the company and their consumers, as well as protecting investors and the integrity of the capital markets.”
In his speech, Aguilar also noted that risk management oversight is an increasingly important board role, adding that “there can be little doubt that cyber security also must be considered as part of the board’s overall risk oversight.” He stressed that the threats of a cyber attack include not only the risk of business disruption and reputational harm but also for directors “the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber threats.”
For example, Target is now facing a shareholder derivative lawsuit, alleging its board members and directors breached their fiduciary duties to the company by failing “to maintain proper internal controls” related to data security and misleading affected consumers about the scope of the breach after it occurred. The complaint alleges the retailer was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target “to be exposed to millions of dollars of potential liability in class-action lawsuits,” and through “substantial damage” to “the company’s sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust.”
A company needs to ensure that it’s appropriately prepared to respond in the event of a cyber-attack. That means, according to Aguilar, putting in the time and resources into making sure that management has developed “a well-constructed and deliberate plan” for responding to a data breach or other cyber incident. It also includes having a robust Cyber Liability insurance and Directors & Officers Liability insurance program in place. At Caitlin-Morgan, we can assist in securing a comprehensive program to respond in the event of a data breach or cyber attack. Please give us a call at 877.226.1027.
Sources: Wall Street Journal, D&O Diary