Why are Companies and their Directors and Officers Still Behind on Cyber Security Oversight and Disclosure?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/why-are-companies-and-their-directors-46081/

Over the past three years, I’ve been outspoken about the need for better
board oversight of cyber security, as well as the need for better cyber
security disclosure.  The severity of the cyber threat is so significant to
companies, as well as to the nation’s economy and security, that boards
have no choice but to pay attention.  Indeed, I can easily envision a world
where, as a practical matter, directors face a heightened risk of personal
liability for cyber-security problems.  And over the past several years,
there has developed an army of talented IT, legal, and insurance
professionals ready to help boards manage this threat, and there are some
very proactive, outspoken, and conscientious directors who are trying to
lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently
engaged, and companies aren’t providing directors with sufficient
information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1)
a suite of problems that I call “cyber freak-out,” and (2) an odd lack of
concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public
company.  Although that was also almost 20 years ago, and most people who
serve on boards have grown comfortable with computers and the basics of
technology, there is nevertheless a fundamental sense of discomfort with
discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as
“cyber freak-out.”  Cyber freak-out includes one or more of the following
stated or unstated excuses for not tackling cyber security issues:

Excuse: The audit committee handles risks, so that’s the right group to
handle cyber security.

Reality: Cyber security is an enterprise risk that the full board needs to
understand and decide how to manage – even if it is ultimately given to a
committee.  And the audit committee has too much work already.

Excuse: Being hacked is inevitable, so we can’t do much about it.

Reality: The reality is cyber security oversight isn’t just about
preventing attacks – it’s also about deciding what assets to protect and
how to respond to a breach, among other issues.

Excuse: Cyber security is an IT issue, and the IT folks have told us for
years that we’re safe.

Reality: The world of cyber security poses higher risks now, and it’s
incumbent upon the board to ask hard questions of the IT department.  There
are outside consultants galore who can give the board an independent
evaluation. And cyber security is not just an IT issue.  Most cyber attacks
can be prevented through employee education – which presents issues of
employee training and corporate culture, which even a Luddite director can
help shape.

And there are several more things few people say out loud, but I fear that
too many think:

Excuse: We should have been on top of this earlier, so engaging in a
full-scale program of cyber security readiness will make us look bad.
Excuse: I don’t want to ask a dumb question, and don’t think I can ask a
smart one.
Excuse: If I wait long enough, one of my fellow directors will get up to
speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to
companies with personal information, like credit card numbers or health
information.  That is wrong:  Any company with valuable assets – including
trade secrets – is and will be a target.  The reason that companies with
personal information grab the headlines is that their breaches have become
public because of breach-notification laws.  Companies that aren’t subject
to breach-notification laws rarely disclose cyber breaches.  One of the
country’s leading cyber-security lawyers to public companies said at the
SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair
White and Commissioners Aguilar (who gave an important speech in June 2014
on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –
 where the disclosure thinking or analysis was driven by the securities law
issues, frankly.

Basically there are other state laws, other situations that are going to
create a disclosure obligation, and that’s what drives it. And I think just
to be someone speaking from the trenches in terms of the reality of what
really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the
iceberg, and the much larger cyber security problem is, and will be,
beneath the surface until companies start disclosing cyber security issues
because of their yet-unenforced federal securities law obligations.  A
company whose IP has been stolen, or whose business has been interrupted,
faces various disclosure issues.   The issue isn’t just whether a breach is
material.  It’s much broader: a cyber security breach could make any number
of statements misleading, including financial statements, earnings
guidance, statements about internal controls, and statements about the
status and prospects of the business operations.  Yet most directors seem
to believe that cyber security is just a problem for banks, retailers, and
health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main
defenses to shareholder claims of breach of fiduciary duty.  There are two
main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in
appropriate oversight, under a standard articulated in a leading case
called Caremark.  The court in Caremark called the claim it branded
“possibly the most difficult theory in corporation law upon which a
plaintiff might hope to win a judgment.”  To be liable for a failure of
oversight – a type of breach of the duty of loyalty – a director must fail
to establish any system for detecting problems, or if a system exists, must
deliberately fail to monitor it or follow up on red flags.  Thus, the only
way a director can be liable for a failure of oversight is to not even try
– or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on
director action.  Such claims are governed by the business judgment rule,
which protects from second-guessing a decision made by informed and
disinterested directors.  A shareholder can overcome the presumption,
however, if the challenged decision was not informed.  Cyber freak-out can
result in challenged cyber-security decisions being insufficiently
informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security,
and make decisions about cyber security based on adequate information.
Boards need to just pay attention and start somewhere – there’s no secret
sauce, and perfection isn’t required.  There’s no cyber-security
intelligence test.  An inquisitive director can do a good job overseeing
cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for
cyber security oversight.  On the other hand, I believe the fear of
director and officer liability needs to increase before directors and
officers and their companies sufficiently tune up their cyber security
oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I
think some jarring liability event is necessary: Just as Bill Lerach, Mel
Weiss, and other prominent securities class action lawyers have greatly
improved the quality of corporate disclosure, and corporate-law decisions
like Smith v. Van Gorkom have improved board decision-making processes, so
too would a cyber-security liability jolt improve cyber-security oversight
and disclosure.  But at the moment, directors and officers observe that
stocks generally haven’t dropped enough to trigger securities class
actions, and the handful of shareholder derivative cases haven’t been
virulent.  And the shareholder derivative litigation dismissal in Wyndham,
while great for Wyndham’s directors, probably set cyber security oversight
back.  The Wyndham decision, resting on the board’s post-breach process in
deciding to reject a shareholder demand on the board, was virtually
meaningless in its impact on the law governing board oversight of cyber
security.

But securities and corporate governance litigation involving cyber security
problems is indeed coming.  And it may be ugly.  The more directors and
officers are on notice about the severity of cyber security problems, and
the less action they take while on notice, the easier it will be for
plaintiffs to prove their claims.  We not only could see a sharp uptick in
the number of claims, but they could be quite difficult for directors and
officers to defend, until cyber security oversight and disclosure improve.
I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has
been struggling to refine its guidance to companies on cyber security
disclosure, trying to balance the concern of disclosing too much and thus
providing hackers with a roadmap, with the need to disclose enough to allow
investors to evaluate companies’ cyber security risk.  But directors and
officers shouldn’t think the SEC is going to announce new guidance or make
new rules before it begins enforcement activity around cyber security
disclosures.  All it takes to trigger an investigation of a particular
company is some information that the company’s disclosures are rendered
false or misleading by inadequate cyber security.  And all it takes to
trigger broader enforcement activity by the staff is a perception that
companies aren’t taking cyber security disclosure seriously.  That may or
may not be preceded by further cyber security disclosure guidance.  And
companies need to be concerned about whistleblowers, including over-worked
and under-paid IT personnel, lured by the SEC’s whistleblower bounty
program, and about auditors, who will soon be asking more frequent and
difficult questions about cyber security.

Conclusion

Greater cyber security oversight, and better corporate disclosure, are
inevitable.  I hope that they happen naturally, as the result of good
counseling by the advisors who are ready and able to help, rather than only
developing after we are hit by the inevitable wave of shareholder
litigation and SEC investigations and enforcement actions.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!