Cyber extortion exposes the lax cyber risk governance in place at media companies. What are the key issues their boards should focus on?
The media has labeled the recent theft of 10 new episodes of “Orange Is the New Black” and the subsequent extortion of Netflix as “ransomware,” but extortion differs from ransomware. Instead of locking down a system by implanting software that gives the hacker complete control (ransomware), the Netflix incident involved simple theft of intellectual property. Since selling this IP to a competitor was impossible, the hacker tried to force Netflix to pay to stop its release (cyber extortion).
Fortunately for Netflix, the breach didn’t impact its stock price negatively. Despite rising in the short term, the stock could have gone the other way, and this event may be the tip of the iceberg. Although investors are rallying behind Netflix at the moment, a breakdown in cyber risk management and oversight could be devastating to its market cap in the future.
The Netflix breach appears to have occurred at an audio production company called Larson Studios. The FBI apparently found out about the theft at Larson Studios in January and waited until a month ago to let the content companies know, but the potential for disaster has been known about for years. As reported in Variety, “security experts aren’t surprised by the incident, even as details about it still emerge. That’s because many have been warning of weak security at third-party vendors for years.” Despite this knowledge, the leadership at Netflix and other content producers had not acted to ensure that third parties in the production ecosystem establish basic policies to protect from breaches.
Managing risk is the fiduciary duty of boards and officers, and cyber risk is a form of enterprise-wide risk that top management must take much more seriously. With every high-profile breach, boards of media companies increase the liability they and their companies will face when a significant breach occurs. What steps should media company boards take to mitigate cyber risk?
- Lead from the top down.
Gone are the days when leaving security to the IT staff is the answer. It’s now widely understood that cybersecurity is not just an IT problem – it’s a business problem. Board members and the C-suite must take a much more active role in making cyber risk mitigation part of the company’s enterprise risk management strategy.
- Manage people, policies, and processes.
Astute management teams recognize that cyber risk is part of their enterprise-wide risk posture. Having sound policies and processes along with training of employees will improve their cyber maturity. Working with third-party vendors is part of that process. Their board members consider dealing with cyber risk to be an important component of their fiduciary duty. They regularly assess and discuss their cyber risk status and they implement effective policies and processes, including ensuring that people are properly trained to recognize and deal with attempts to breach security.
- Protect the board, management, and the company from liability wherever possible.
Cyber insurance is relatively new and it can be expensive, but then, how expensive is it to lose a major series or movie? Liability can also be lessened if the company can prove that it was doing everything it could to assess and mitigate cyber risk, using an industry standard (like NIST Cyber Security Framework) as a foundation. The SAFETY Act from DHS also offers some immunity from liability in certain circumstances, and using DHS-approved software provides a strong rationale for dismissing derivative suits against management.
Netflix may have dodged a bullet if their valuation holds after this incident, but media companies should now be aware that a massive threat exists, and their management and directors should take the steps needed to prevent future cyber extortion against major content producers.