Board Director Cyber Liability

The last decade has seen a large number of major cybersecurity incidents in the media and with them, data breaches which have affected millions upon millions of individuals. These breaches are expensive for the companies involved, the costs incurred by the fallout of cyberattacks include financial penalties imposed by regulators for bad practices, disruption to business operations, lawsuits from affected business partners and customers, loss of reputation, and of course, a massive loss of shareholder value. An analysis of significant cyber breaches makes it obvious that there is a strong connection between a major cyber attack and the performance of a businesses share price. The report goes on to quantify the value of shares lost as a whopping $50+ billion, with the average public company losing $150 million+ in share value following a major cyber attack. These figures, however, do not take into account the compliance penalties associated with a major cyber attack if the organization is found to be negligent in the way it handled its cybersecurity. Compliance fines that resulted from major cyberattacks and data thefts when the organizations were found to have weak security, initiated a cover-up or made mistakes have cost them a total of $1.2 billion+ after the event.

We must also not forget the intangible costs of a cyberattack against your business, namely the sullying of your brand reputation should a cybersecurity incident occur and the damage to your relationships with your partners if the incident ends up negatively impacting their business too. In a survey conducted by IBM, more than 75% of consumers stated that they would never buy from a company again if it emerged their data was not being properly protected.As board directors’ cybersecurity responsibilities become clearer in the eyes of the law, it is increasingly likely that corporate officers and board-level directors will have to face the possibility of personal liability for these losses. In this article, we address how board directors can minimize cybersecurity risks to themselves and their organizations.

Over the past decade, when a board of director’s cybersecurity duties were not yet clear, they were generally assumed to be free of any personal liability for cybersecurity incidents and breaches. However, this is changing. In the past, any kind of fiduciary liability claims against board directors were dismissed because they could claim that their cybersecurity oversight duties were not considered known duties that give rise to personal liability. In general, courts were concluding that legal challenges and claims that board directors should have known about threats did not create any personal liability for fiduciaries. Today, changing laws and legal conclusions indicate that board members’ cyber risk responsibilities have become much clearer over the last few years. Recently, a judge in Georgia refused to dismiss a case against the Board Directors of Equifax. They had personal knowledge of the cyber risk and vulnerabilities in the business they provided oversight for. Even worse, some of those board members were found to have misrepresented the strength of Equifax’s security technology. Earlier this year, a second judge in California approved the very first settlement against Yahoo board directors after a cybersecurity data breach, indicating a trend toward fiduciary liability.

It is now argued by many that an increase in cybersecurity incidents and breaches, combined with the obvious and severe financial penalties and consequences, creates a need for businesses to define the board director’s cybersecurity duties. What is obvious is that when board directors fail to put oversight measures in place or ignore red flags, claims holding them personally liable can be brought by shareholders. If an organization becomes the victim of a serious data breach and it is discovered that the board of directors failed to implement a good-faith process for overseeing cybersecurity risks, then they face personal liability. Liability increases if it emerges that they ignored any red flags without investigating them. To further cement cybersecurity as an executive responsibility, SEC Commissioner Luis Aguilar advised that, “board directors are responsible for overseeing the management of all kinds of risk, there is little doubt that cyber risk must also form a part of the board’s oversight”, which leaves no room for doubt.

Now that it is obvious that the oversight of cyber risk is part of a board director’s duty and fiduciary responsibility, boards must take some practical steps. Here are our top recommendations for minimizing personal liability for a data breach:

  1. Board members must review and understand the compliance regulations, laws, and best-practice guidance that impact the organization whose board they sit on, they also need to know who in the organization is responsible and has authority over the cybersecurity issues that affect the businesses risk profile. Best practices need to be reviewed and board members need to be asking where the practices fall short so that the deficits can be understood and mitigated against over the long term to avoid those deficits becoming a serious issue.
  2. Ensure that your business regularly conducts independent vulnerability and cyber risk assessments. Properly understand the kinds of data your business collects, how it is stored, and what kind of data flows through your business. This is foundational to understanding your business in the context of cyber risk.
  3. If a business is a public company, make sure that you have effective processes, procedures, and controls in place to address and oversee cybersecurity risks. Also, verify that cybersecurity incidents are publicly filed and disclosed in public compliance filings.
  4. Make sure that the business has well-defined information security, data privacy, and security policies in place. These should be tailored to an individual business and include regular and frequent employee training. You should also take steps to verify that these policies are being enforced in your organization.
  5. Board members need to ensure that the individual in the business with responsibility for and authority over the cybersecurity issues which may cause business risk has implemented systems and controls for cybersecurity reporting and that they regularly monitor these systems for threats, red flags, and potential risks, alerting the board of any potential high level issues.
  6. Even if you’re on the board of a private company, consult with the cybersecurity team to understand their policies and practices and discover how they are being audited to uncover potential issues and glaring gaps. In tightly regulated industries, compliance regulation audits covering cybersecurity can also be helpful in identifying shortfalls in your overall cybersecurity posture and act as a driver to mitigating against them in order to remain compliant.
  7. Make sure that you know which board members have cybersecurity oversight duties and responsibilities. At least one board member should be technically literate enough to lead board conversations and answer questions about cybersecurity.
  8. Include cybersecurity topics during board meeting discussions to ensure that the board is aware and focused on the business’s cybersecurity efforts.
  9. Become familiar with insurance policies that cover a business’s cyber risk and data breach response efforts. Ask your insurer about the policy exclusions and limits, checking that they cover both third-party and first-party cybersecurity losses.
  10. Allocate budget for incident response services, we have seen boards who are unwilling to pay for these services come to regret it at a later date when an incident occurs and end up spending much more money than what they would have spent in the first place. Make sure a team is ready to deal with incidents as they occur to avoid this.
  11. Ensure that your business has effective cyber insurance protection in place, covering its three forms: third-party written coverage, first-party written coverage, and implicit silent cyber coverage to provide financial respite against loss of income, loss of data, virus liability, cyber extortion payouts and regulatory civil action coverage should the worst case scenario occur.

From 2021 on, there will no longer be any legal doubt that board members, directors, and officers have a duty to provide oversight of their business’s cyber risks and cybersecurity efforts. As the cyber landscape continues to evolve and grow, directly targeting organizations large and small, it is vitally important that board members fulfill their cyber risk obligations to protect themselves from liability, all while protecting their business, customers, employees, and shareholders.