Ignoring Board Liability for Cyber Risk is… Unwise
As the frequency and impact of cyber breaches increase, board members continue assuming that D&O insurance protects them from liability. Well-established law and recent regulatory actions suggest that astute directors become more actively engaged.
While most corporate directors accept that oversight of cybersecurity is included among their fiduciary responsibilities of “prudent oversight” and “duty of care,” many are unaware of the exposure they face if they fail to actively engage. The increasing proclivity by shareholders to pursue derivative suits against directors and officers after a breach, together with threatening statements from the SEC and regulatory actions by other agencies, is causing boards significant concern.
Directors assume that D&O insurance will cover any post-breach legal actions against them. Early in 2015, however, we predicted the eventual carving out of cyber risk from D&O policies. At the very least, we expected that after a breach, coverage would be contested. Then in December, one prospect told us they’d received a letter from their insurer that specifically dropped coverage for cyber breaches from their D&O policy. We are aware of other D&O insurers who are wrestling with the lack of data to support adequate analysis for effective underwriting.
Expecting D&O providers to resist post-breach claims is prudent. In Metropolitan Corporate Counsel, David Wood and Joshua Gold offered this advice for purchasers of D&O and cyber insurance:
“Resist insurance company efforts to include exclusions, warranties, representations or ‘conditions’ in insurance policies concerning the soundness or reasonableness of the policyholder’s data security efforts/protocol. These clauses are a recipe for disputes on potentially every security incident. Given the pace of technological innovation, almost every security step can be second-guessed with the benefit of 20-20 hindsight.”
Given the potential lack of protection for board members, it’s important that they understand their specific legal obligations regarding oversight of cyber risk, which stem from three key sources:
- The Gramm-Leach-Bliley Act of 1999,
- The Sarbanes-Oxley Act of 2002, and
- Recent FTC enforcement actions.
The Gramm-Leach-Bliley Act (GBLA) and the FFIEC
The GBLA instructs financial institutions to safeguard customer information. Since it doesn’t specify how this is to be done, the Federal Financial Institutions Examination Council (“FFIEC”) published its Interagency Guidelines Establishing Information Security Standards. The Guidelines establish standard ways to protect customer information for financial institutions “subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information.”
The Guidelines require establishing an information security program to assess risks to customer information, writing a plan with policies and procedures to manage and control the risks, and adjusting the plan to account for changes in technology and external threats. Mandatory board engagement involves approving the written information security program and overseeing its implementation.
The Sarbanes-Oxley (SOX) Act of 2002
Similar to GBLA, SOX requires establishing of information security processes and audit procedures to protect corporate information. With a focus on the impact of data security on financial statements, SOX mandates that statements accurately reflect the diminished value of intangible assets after a security failure or breach.
Recent FTC Enforcement Actions
The Federal Trade Commission has become increasingly aggressive in pursuing judgments against the directors of companies breached in part because of apparent board inaction. The highest profile case against Wyndham Hotels and Resort arose after a series of breaches that began in 2008. When Wyndham asserted in 2015 that the FTC was exceeding its authority to regulate corporate cyber security, the Third Circuit Court upheld a lower court ruling that they indeed had the authority, as well as the right to pursue a lawsuit accusing Wyndham of failing to properly safeguard consumer information.
How can directors actively engage in oversight of cyber risk? The first step is realizing that it’s an important part of their fiduciary duty. The second step is educating themselves more fully about the risks that cyber breaches pose to the operation and valuation of the company. NACD offers some excellent information and training on the subject.
Finally, decide whether to (1) add cybersecurity expertise to the board, or (2) take steps to establish a systematic method of effective communication about cybersecurity that engages key parts of the entire organization. We highly recommend the latter.