A Universal Model for Assessing Cyber Risk Part 1: More Than a Technology Problem
This is the first post in a four-part discussion of the need for a universal model for assessing cyber risk. Subsequent posts will include “Following the Path of Financial Governance,” “Obstacles to Effective Regulation,” and “Toward a Universal Cybergovernance Model.”
In “Cyber Liability: It’s Just a Click Away,” Zelle and Whitehead said that “cyber coverage falls into two categories: (1) forms that offer coverage for first-party risks, such as cybercrime, viruses and system malfunctions; and (2) forms that insure against third-party risks, such as data breach claims and claims for the infection of outside systems.” Now a third form of coverage is needed to address the potentially devastating personal liability incurred by corporate directors in their cybersecurity governance responsibilities.
The economic impact of cyberattacks in the U.S. is estimated at over $100 billion annually. Part of this cost manifests as an estimated 200,000 lost jobs nationwide, “and the costs will only increase over time.” As the frequency and impact of cyberattacks increase, the legal landscape surrounding cybersecurity continues to evolve. Since many organizations are finding that cyberattacks represent the greatest potential risk to operations and business valuation, the drive to mitigate cyber breach risk is intensifying.
This broad recognition of the potential impact cyber breaches have on our economy is motivating lawmakers to act. Rather than wait for policy to evolve through court rulings, they’ve introduced several bills in Congress (e.g., the Cybersecurity Information Sharing Act) to encourage information sharing among companies and agencies as an important first step in combating cyber crime.
The growing realization that cybersecurity is not exclusively an IT problem has elevated responsibility for improving organizational cyberattack readiness to the board of directors. Governance of cybersecurity (“cybergovernance”) comprises tools and processes for assessing and evaluating a firm’s overall cybersecurity program. Addressing cyber risk is rapidly becoming a mandatory aspect of the board’s fiduciary responsibility to address all risks to corporate value. Pressure on corporate directors to assume a larger role in guiding their companies toward greater cybersecurity maturity is intensifying.
A recent KPMG survey revealed that 86% of global institutional investors “want to see an increase in the time boards spend on cybersecurity.” Government agencies, including the Securities and Exchange Commission and the Federal Trade Commission, are pursuing actions against directors to hold them personally liable for related losses should they fail to demonstrate “prudent business oversight” and “duty of care.”
Hillard Sterling, partner with Winget, Spadafora & Schwartzberg, LLP, says that “directors may be protected by the business-judgment rule, but only in part, since the protection depends on whether they undertook reasonable efforts to inform themselves about – and then address – cybersecurity risks. Plaintiffs and regulators are looming and ready to pounce on shortcomings in preparing for and responding to breaches and incidents.”
While board members are experiencing extraordinary pressure to increase their oversight, few are well equipped for the task. A survey of over 1000 corporate directors conducted by the National Association of Corporate Directors found 36% dissatisfied with the quality and 52% dissatisfied with the quantity of information provided by management about cybersecurity and IT risk.
In part 2 next week, we’ll trace how increasing board governance over cybersecurity is following the same path that financial governance followed after passage of Sarbanes-Oxley.