It Can (and Probably Will) Happen to You
By Tim Marlin
Over a three-year period, a prominent global hotel and resort chain headquartered in the U.S. was hacked three times. Cyber criminals stole customer information stored on servers around the world and racked up more than $10 million in fraudulent credit card transactions. Lawsuits brought by private plaintiffs and regulators ensued, alleging lax security practices. They included a derivative suit against individual members of the company’s board of directors.
But the company’s board had done its due diligence, proactively addressing cyber security by establishing policies and conducting routine audit reviews in advance of the incidents and by implementing the recommendations of outside consultants in their aftermath. The derivative suit against the board ultimately was dismissed.
The Growing Cyber Threat
This is another case in an ever-expanding list of corporations sent reeling from the far-reaching and costly effects of cyber crime. It’s also a poster child for the importance of a threat management program that is actively overseen by the company’s board of directors.
Yet many organizations are slow to take a proactive approach. According to the 2016-2017 Global Information Security Survey by Ernst & Young, 44 percent of businesses do not have a security operating center (SOC) and 64 percent do not have a threat intelligence program or only have an informal one. Sixty-two percent of businesses say they would not increase their cyber security spending after experiencing a breach that did not appear to do harm.
This is a risky stance for a business to take nowadays. Data breaches cost U.S. companies an average of $7.35 million, up 5 percent from the prior year, according to the Ponemon Institute's 2015 Cost of Data Breach Study: United States
. The average cost per compromised record increased from $221 to $225.1
But actual breach events have shown that a company’s potential for loss goes far beyond dollars and cents. Intangible damage to a company’s reputation, intellectual property, productivity and more can also take a costly toll.
A New Board-Level Duty of Care
Given the high threat of loss, cyber security has become a "duty of care" that boards must address.
"Ensuring the adequacy of a company’s cyber security measures needs to be part of a board of director’s risk oversight responsibilities," said SEC Commissioner Luis Aguilar in his speech, "Sharpening the Focus
," presented at the 2014 Cyber Risks and the Boardroom conference.2
Even a perceived lack of diligence on the board’s part may make individual members vulnerable to lawsuits alleging breach of their fiduciary responsibility. Yet cyber security is a challenging new frontier for directors who may be intimidated by its many risk factors and technical considerations, not to mention the ever-evolving cyber threat environment that thrives on surprise.
Guidelines for Getting Started
How can boards protect themselves? First, they can be reassured that they do not need to be technical experts in cyber security. Their role is one of oversight and their job is to consider cyber security from an overall risk management perspective and to be actively engaged in the decision-making process. More specific controls are the responsibility of employees who put the board’s high-level strategic direction into practice.
These guidelines can help board members get started at the right level:
Educate yourself on cyber regulations on the state and federal government levels and the steps they mandate in the event of a breach.
Understand the company’s potential cyber exposure, including the sensitive information it holds, where it’s stored, how it’s protected and the potential threat actors from within and outside the company.
Leverage third-party expertise to evaluate the company’s cyber risk, assist in developing its strategy, consult on security issues and respond to board questions.
Ensure that management has a well-thought out plan in place to prepare the company for the inevitability of a cyber attack, including business continuity and disaster recovery procedures.
Cultivate cyber security as a company-wide concern. Require security awareness training among employees and ensure that administrative privileges are robust and assigned to the right people.
Require third-party providers and vendors to be thoroughly vetted to ensure they are not a potential source of a cyber attack. If they are an Internet service provider, ensure that they can also effectively respond to and recover from an attack on their own network.
Establish a reporting structure that assures ongoing and direct board knowledge. For instance, the company’s security officer may meet with the full board or a special cyber committee of board members on a monthly or quarterly basis to review any incidents, their cause and corrective action needed.
Maintain a factual record of cyber incidents, their frequency and severity, and what was done in response. Document the board’s involvement and the rationale for all of its risk management decisions, including those that are proactive. It was the hotel company’s extensive documentation of the board’s discussions and decisions that cleared its directors of negligence.
Get insurance to protect the company from the cost of a cyber attack as well as its board and officers from lawsuits filed for breach of fiduciary duty.
Transferring the Risk With Insurance
Cyber crime is pervasive. It’s only a matter of time before any given business becomes its hapless victim. Insurance can help fill the gap of a potentially large financial loss that may arise as a result.
Two types of cyber-related coverages are essential for corporations that rely upon the Internet for any aspect of their business:
Comprehensive cyber liability insurance offers crisis management expertise in the event of a breach and can pay for first- and third-party costs associated with it , including (but not limited to) expenses related to the investigation, customer notifications, credit and identity theft monitoring, privacy and security liability, business interruption, legal costs and regulatory fines.
Directors and Officers (D&O) insurance protects the personal assets of a business’s directors and officers if they are sued for actual or alleged wrongful acts committed in managing the company.
Stand-alone coverage for both eventualities will ensure comprehensive, tailored protection against the pervasive risk of cyber attacks that are growing in frequency and magnitude.
About the Author
Tim Marlin is head of cyber underwriting for The Hartford. He has over 15 years of cyber, technology errors and omissions, professional, and management liability insurance. Tim can be reached at firstname.lastname@example.org
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.