Cyber Risk Lessons for Boards and Officers


Leaders have a duty-of-care for preventing, mitigating and transferring the risks of a cyber attack

By Michelle Lopilato

Large enterprises like Equifax, Target, Sony and Home Depot may have grabbed headlines for cyber attacks, but small to mid-size businesses are the most exposed and the easiest prey. That’s because small businesses have fewer resources and may falsely believe that hackers only target large organizations. Last year, small organizations accounted for 85% of data breach claims,[1] and breaches of less than 10,000 records cost on average $4.66 million.[2]

As if such frequency and severity were not enough to cause concern, cyber liabilities now extend from the computer room to the executive leadership up through to the boardroom.
The boards of Target, Google, Wyndham were sued after recent data breaches and at some of these companies, c-suite officers have been fired for not anticipating and preventing breaches – all because of lack of preparation for or inadequate response.

Such lawsuits and firings could be catastrophic for officers and boards, if they do not have enough cyber insurance, as well as directors and officers liability (D&O) coverage to protect the firm and indemnify themselves.

Executive leadership of every company regardless of size, has a duty of care toward all shareholders. As a result, the responsibility for preventing or responding to a cyber breach ultimately sits upon their shoulders. And that responsibility creates personal liability. If a company is sued by any shareholder, and it doesn’t have enough capital or insurance to protect the firm or indemnify the C-suite and board, then they could lose their personal assets, like homes, college funds, retirement accounts, etc.

Start From The Top
Companies often start at the bottom with operational efforts to minimize losses by simply buying preventive controls like firewalls or anti-viral wares. Fewer firms set up mitigation controls like continuity and disaster plans or incident response plans, and even fewer have ever tested them or transfer cyber risks in contracts or via insurance.
Consequently, many firms would not meet a general “reasonableness” standard for preparedness like the latest NIST or FTC advisories suggest. As a result, boards and officers could be made to look negligent in a court of law.

Boards need to do three things.

  1. Check to make sure that your D&O coverage is adequate. Does it have exclusions for failure-to-maintain underlying insurance or specific carve outs for cyber risks? The former are common; the latter new.
  2. Check to make sure that the firm has cyber coverage. Most firms do not. And many policies are not worth owning. Hence you need to consult a qualified cyber insurance broker like Hub with dedicated experts for insurance placements, incident-response and claims handling.
  3. Exercise a duty-of-care that shows how officers of the company avoid, prevent, mitigate and transfer cyber risk. Then document evaluations and decisions.

Officers must assist the board in its evaluation of cyber risks by:

  1. Getting on the right side of the law. Study relevant regulatory regimens–state, federal and international laws that might apply to your physical and electronic stores of personally identifiable information (PHI) or personal health information (PHI).
  2. Adopt the latest best practices advocated by the FTC, NIST, industry groups or regulators.[3]
  3. Evaluate the potential for unexpected losses and place sufficient insurance.

Operations Personnel need to execute plans. The best hackers do not hack systems or wares, they hack people.

These “wares” are powerful enough to bring down the most sophisticated nation states. They are sometimes designed to steal; other times to destroy. What these tools can mean to employees is pillaged bank accounts. What they mean to employers is losses of money, trade secrets and competitive advantage.

Putting It All Together
If the officers and board members do all of the above well, they not only defend the firm, they defend themselves. For example, in the Wyndham v. Palkon decision a New Jersey federal court dismissed a shareholder claim alleging that the company’s board and directors did not take adequate steps to prevent an information breach after Wyndham executives provided detailed information of 14 quarterly meetings prior to the attack where cyber security, policies and security enhancements were discussed. In addition, they showed that the company’s audit committee had investigated the breaches and hired a tech firm to recommend security improvements.

The lesson is clear. Any size company whose executives pro-actively work together and document their steps at managing risk both before and after a cyber attack will be able to show that they have exercised their responsibility for shareholders.

It is more important than ever for management teams to work together – from the C-suite to the board and operations personnel. Taking the necessary steps to avoid, prevent, mitigate and transfer new and emerging risks will ultimately safeguard the company and its executives.

About The Author:
Michelle Lopilato,
Senior Vice President,
Director of Cyber and Technology Solutions at HUB International,
Michelle is responsible for advising clients and prospects on issues related to cyber, privacy and technology related risks, as well as negotiating with carriers on policy terms and conditions.

[1] NetDiligence Cyber Claims Study 2014
[2] Page 10, Ponemon Institute and IBM: “2015 Cost of Data Breach Study-US”
[3] For example, see the latest FTC publication: “Start with Security: A Guide for Business”


Home Forums Cyber Risk Lessons for Boards and Officers

This topic contains 1 reply, has 1 voice, and was last updated by  SecWorld 1 year, 9 months ago.

  • Author

  • SecWorld

    Uber may be the latest in a long line of big names to hit the headlines in the wake of serious data breaches, however it is the handling of the attack that is the biggest cause for concern. The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.

    Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage – a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry.

    When it comes to the loss of personal data, transparency is crucial. Not only will 2018 see this mandated by GDPR, but it is vital to ensure that even in the wake of a breach customers do not lose total faith in a brand’s ability to protect their data.

    Secondly, the hacks of the past two years could not have made it plainer that the current mind-set isn’t working. Organisations need to think beyond the ‘protect’, ‘detect’, ‘react’ approach which sees hackers on average spend over 100 days syphoning of sensitive data from across compromised networks. Instead the model needs to include a step that limits the damage – containment. By isolating a threat when it enters the network, businesses can minimize the sensitive data a hacker can access and massively reduce the scale and scope of high profile hacks.

    -Jim Kennedy, VP North America, Certes Networks

    #453761 Reply
How you feel about it?
Your information: