The recent disclosure that Russian spies perpetrated the Yahoo hack is the latest chapter in the largest breach ever, and it points to new ways, like the SAFETY ACT, that can lessen liability for failures in managing cyber risk.
Russians? Really? The already incredible story of Yahoo’s alleged negligence by Yahoo management in failing to deal with cyberattacks effectively just morphed into an international cyberterrorist incident. If those tasked with risk mitigation in other companies can learn from only one highly publicized breach, this is the one to study.
Let’s review the high points of the saga:
- Yahoo announced last September that credentials for 500 million accounts were stolen two years before.
- In December, Yahoo announced that an additional billion accounts had been stolen going all the way back to 2013.
- The Yahoo board in early March removed more than $12 million from CEO Melissa Mayer’s compensation for the failure having occurred on her watch.
- The FBI recently filed criminal charges against named individuals, including Russian spies, who were involved in perpetrating the Yahoo breaches.
Who’s responsible for managing cyber risk? Is the Yahoo situation purely an IT security failure? Should the board have been more informed? Does the CEO carry the blame for not making cyber risk a strategic issue?
Cyber Risk Governance (CRG) is a team sport where many play important roles:
- Corporate directors have an obligation to oversee cyber risk as a part of their broad enterprise risk management duties.
- Astute executives incorporate cyber risk measures into the strategic use of technology in growing their business.
- General counsel’s interest is in precluding all forms of financial liability, including damage from cyber breaches.
- Internal auditors want to institute control systems for managing cyber risk in parallel with those for financial risk.
- IT and security staff realize that technology alone isn’t a solution, and they want to foster a culture of security across the organization.
What steps can key stakeholders take to prevent another Yahoo?
- Recognize that cyberattacks are an enterprise risk. Many directors and executives avoid assuming responsibility for cyber risk, clinging to the mistaken belief that it’s only a matter for IT and security to handle. In fact, the risk of a breach is another form of enterprise risk, and directors and officers have the same fiduciary duty to mitigate it as they do for financial risk.
- Make cyber risk governance a high priority. A recent survey of 2,791 corporate directors published in Harvard Business Review found that only 8% consider cybersecurity to be a strategic threat. Given that almost all businesses now rely heavily on the internet for their operations, the danger of business interruption is very real and must be taken more seriously.
- Continually assess and monitor progress against standards. As Peter Drucker famously said, “what gets measured improves.” Instead of hearing arcane statistics unrelated to business strategy, boards should be able to oversee the assessment and monitoring of the organization’s cyber maturity based on accepted standards (e.g., NIST Cyber Security Framework).
- Investigate the SAFETY Act. A little-known program within the Department of Homeland Security, the SAFETY Act offers a way to defer liability resulting from breaches. Employing solutions that have survived the SAFETY Act’s arduous evaluation and approval process offers a level of legal defense otherwise unattainable.
(For information on the SAFETY Act, email firstname.lastname@example.org)