For well over a decade, CEOs have been relegating the operational, legal, reputational and competitive risks associated with cybersecurity to those responsible for Information Technology. Yet, as the recent onslaught of intrusions against retailers confirms, cybersecurity is an enterprise risk management issue that extends beyond the combined efforts of the Chief Information Officer, the Chief Technology Officer, the Chief Security Officer and the Chief Information Security Officer. Cybersecurity is the unsung linchpin of every company that has grown increasingly dependent upon vulnerable technologies, whether to communicate, to store sensitive data, or to manufacture and deliver its products and services.
Unfortunately, the pervasive attitude that cybersecurity is an IT problem rather than a C-Suite whole-of-enterprise concern likely stems from the top. As the National Association of Corporate Directors recently observed, a lack of cyber expertise on corporate boards presents a real and urgent threat to oversight. Inexplicably though, the NACD also found that “a demand for IT experience generally has not surfaced in director recruitment.” That needs to change. Simply put, thinking of cybersecurity as an IT issue is similar to believing that a company’s entire workforce, from the CEO down, is just one big HR issue.
What is Cyber Risk?
Businesses need look no further than to guidance published by the Securities Exchange Commission to understand how cybersecurity failings can impact stakeholder value across a broad array of corporate interests. As stated by the SEC, companies that suffer from a significant cyber incident often face one or more of the following material harms:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
To ensure registered companies disclose meaningful information about those “risks and events” that a reasonable investor would consider important, the SEC wrote that corporate filings may be required to address cyber issues under a number of sections, to include Risk Factors, Management’s Discussion and Analysis, Description of Business and Legal Proceedings. The SEC warned against generic “boilerplate” disclosures and, in 2012, began sending letters to companies that, according to news accounts, suffered major breaches.
What is the Legal Landscape?
Many, including myself, consider corporate victims of computer intrusions to be, first and foremost, victims. Still, class action lawyers are presenting legal theories of liability that include negligence, breach of contract, breach of fiduciary duty, invasion of privacy, waste and conversion, infliction of emotional distress and unjust enrichment.
On occasion, the government has taken a similar approach against corporate cyber victims. The Federal Trade Commission, often with encouragement from members of Congress, has investigated dozens if not hundreds of companies that have suffered data breaches. The FTC asserts that it has jurisdiction to decide whether a company’s privacy statements and terms of service are objectively or subjectively unfair or deceptive. Although the FTC has not published any rules on the subject, it has brought charges against companies for failing to have “reasonable and appropriate” procedures for handling personal information or “sufficient measures” to prevent, detect and investigate unauthorized access to computer networks.
Meanwhile, State Attorneys General are filing civil cases against corporate victims under both federal and state laws, including when a company “unreasonably” delays consumer breach notification. In short, adding to the operational and reputational risks associated with a computer intrusion, the risk of litigation is considerable.
Entirely eliminating the risk of a computer incident is impossible. Therefore, the best that corporate leadership can do is to identify and prioritize the most important company data and systems, and then ensure meaningful oversight of the technical, administrative and physical controls being used to prevent (or quickly recover from) an incident. It is well passed time to take cybersecurity issues out of server rooms and into corporate executive wings and boardrooms.
About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a big-data cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, cybersecurity assessments, and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division.