Increasingly, regulators, courts, rating agencies and investors recognize that cybersecurity is a leadership challenge, not just an IT problem. Attacks are becoming more sophisticated, more prevalent, and more malignant, and as a result senior corporate leadership is increasingly expected to take an active hand in formulating, monitoring and owning their companies’ cybersecurity plans and programs.
Regulators who touch the insurance business ranging from the New York State Department of Financial Services (NYDFS) to the US Securities and Exchange Commission (SEC) are stepping up their expectations and imposing new requirements on senior officers and directors, even requiring their affirmative certification of company cyber strategies. These tougher regulatory standards greatly increase the risks for those senior officers who pay insufficient attention to cybersecurity. The public also is increasingly demanding accountability, particularly for those breaches that most directly impact consumers.
So, the critical question for officers and directors is: are you ready to sign on the cybersecurity dotted line? Are you taking sufficient, proactive steps not just to defend your company, but yourselves?
Liability before regulators,
courts and the public
No cyber strategy will be effective without an active and involved upper management. A slew of high-profile breaches has born this fact out: senior leaders like CEOs and GCs who arguably were less-than-attentive to cybersecurity have resigned, have been hauled before Congress, and have been pilloried in public. Others have had their bonuses cut.
Recognizing the impact director and officer oversight can have, both state and federal regulators have explicitly interjected management into cybersecurity readiness, signaling they plan to take upper management to task for failing to meet expectations as to oversight.
At the state level, the NYDFS is leading the way with its detailed cybersecurity requirements (the NYDFS Rules) for businesses it regulates, including insurance companies. The NYDFS Rules require designating a Chief Information Security Officer, who must issue a comprehensive annual report on the company’s cybersecurity program to the board or senior management. Additionally, the board chairman or a senior officer must annually certify compliance with the NYDFS Rules in their individual capacity. The penalty for a person not being truthful in certifying compliance with the NYDFS Rules “to the best of his/her knowledge” could be individual civil liability, or even criminal liability in some scenarios.
The number of states that apply specific cybersecurity requirements on insurers is likely to proliferate even further after the National Association of Insurance Commissioners (NAIC) adopts its Insurance Data Security Model Law (Model Law). The NAIC is expected to adopt the Model Law this year, after which many state insurance commissioners are likely to consider adopting some version of it. Like the NYDFS Rules, the Model Law calls for executive and board-level oversight of cybersecurity. Executive management will be required to develop, implement and maintain a cybersecurity program under the Model Law, and must report to the board of directors annually on the status of the program.
Federal regulators are also scrutinizing company cybersecurity practices and emphasizing proactive senior leader involvement. The SEC, for example, has identified cybersecurity as one of the biggest risks to the U.S. financial system, and has been enforcing cybersecurity since the adoption of Regulation S-P. Regulation S-P requires certain companies to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” In addition, the SEC issued a risk alert in August 2017 signaling that it continues to focus on the prevention of cyberattacks, and highlighting an engaged senior management as a cybersecurity best practice.1
The federal bank regulators have also indicated their interest in requiring proactive, senior officer involvement. The Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of Comptroller of the Currency released a joint Advanced Notice of Proposed Rulemaking in late 2016 proposing unprecedented cybersecurity standards for banking and certain other financial institutions, including insurance companies designated as systemically important financial institutions.2 Proactive cyber-risk governance is a centerpiece of the proposed rule, which would require covered entities to develop a “written, board-approved, enterprise-wide cyber risk management strategy,” and calls for board-level competence in cybersecurity sufficient to allow “credible challenge to management in matters related to cybersecurity and the evaluation of cyber risks and resilience.”3 While the future of this proposed rulemaking is unclear, it is yet another signal that federal regulators intend to hold directors and officers accountable for the adequacy of their companies’ cybersecurity programs.
Regulators outside the U.S. are also getting into the action. At the recent G20 Summit, the Financial Security Board presented its “stocktake” of global cyber regulations. One core similarity among the current regulations is the emphasis on “the role of the board.” The FSB report also found that a full 72% of jurisdictions report plans to issue new regulations, guidance or supervisory practices.
In other words: if it’s not already here, it’s coming.
Personal liability for cybersecurity incidents is also becoming an issue for courts, with potentially serious consequences for directors and officers who pay insufficient attention to the proactive phase of cybersecurity. A number of shareholder derivative lawsuits have been filed against the boards of corporations that have suffered data breaches.4 These lawsuits have involved claims that boards have, for example, “failed to take reasonable steps to maintain its customers’ personal and financial information.”5 These early derivative lawsuits have so far been dismissed because of the high bar set by the business judgment rule, which presumes that directors of a corporation acted on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company.6
Although shareholder derivative suits have not had much success to date, the protection afforded to directors and officers by the business judgment rule and other procedural barriers could diminish as cyberattacks increase in severity and notoriety. As the probability of an attack increases, and the magnitude of potential harms skyrocket, courts are more likely find fault in those directors and officers who in the court’s view closed their eyes to the risks and failed to exercise sound judgment on cybersecurity preparedness.
But, on the other hand, an active and involved board can itself shield directors and officers from liability.7
An ounce of prevention is worth of pound of cure. One step directors and officers can take to prevent personal liability is to exercise strong and meaningful oversight over their companies’ proactive cybersecurity programs. Indeed, board and C-suite attention to cybersecurity is the linchpin of any effective cyber strategy. Only upper management can make employees at all levels prioritize cybersecurity, only upper management can align the responsibilities for cyber security with the authority to meet those responsibilities, and only upper management can ensure that the overall cybersecurity is comprehensive, proactive, and well-practiced.
Further, perfection is not required. To avoid liability, companies should focus on developing and maintaining reasonable cybersecurity programs. Rapid-fire developments in regulation and litigation are informing what counts as reasonable cybersecurity, so directors and officers must remain vigilant to keep informed about this emerging standard of care, and whether they and their companies are meeting it. Directors and officers should also be prepared to “show their math” so that they can readily explain to regulators, courts and the public why they were reasonable in making certain risk-based decisions based on the information they had at the time.
Maintaining adequate D&O coverage
Now is also a good time for companies to review their D&O and cybersecurity insurance policies. While D&O policies usually provide broad protection against liability or settlement, companies have been surprised by coverage gaps before, particularly in the context of cyber incidents. There is a lot of variation in the coverage under different cyber policies, and a board should understand what protection the company has purchased for its balance sheet and income statement if a data breach occurs despite precautions. Further, companies should take the opportunity to review policy limits, especially as companies that have suffered major cyber incidents have illustrated the magnitude of the losses that can result.
Engage in cyber due diligence prior to any merger or acquisition
Buying a company also entails buying its data and IT infrastructure. Assuring that appropriate cyber due diligence has been conducted before signing off on a deal can help ensure that directors and officers are aware of issues that can affect valuation, or even a decision to go through with a transaction. A recent survey revealed that a large majority of directors and officers believed the discovery of a major cybersecurity flaw would likely affect their final decision on a corporate transaction, and that a high-profile data breach would likely lead to a significantly lower valuation or even foreclose consideration of a transaction.8
Ultimately, directors and officers across the board are realizing—some too late—that they cannot delegate accountability for cybersecurity, and that having an effective cybersecurity program requires what only they can provide: judgment and leadership. Abdicating that role may not only cost the company, but may also cost individual directors and officers.