The following excerpt is from D&O Guide to Cyber Governance: Fiduciary Duties in the Digital Age by Jody Westby.
The importance of cyber governance has been elevated over the past two years due to:
- Increased sophistication of cyber attacks resulting in significant business interruption losses and theft of confidential and proprietary data.
- Information security governance standards and best practices that require specific actions of directors and senior management.
- Increased legal and regulatory requirements mandating governance directors and officers take certain steps in overseeing information security.
- Cyber-event driven litigation and a series of recent holdings in Delaware case law that collectively work to narrow, under certain circumstances, the deference given to boards, particularly with respect to meeting their duty of loyalty and good faith oversight.
General counsels and outside firms can play a significant role in helping directors and officers meet their fiduciary duty and avoid derivative shareholder suits by confirming a cyber governance framework is created that identifies key cyber risks, ensures appropriate data about these risks is reported to the board, and establishes a board process to review this information and monitor the risks.
Changes in the Cyber Threat Environment
The bad guys are still winning, and the pandemic gave them a boost. The cyber threat environment today is dramatically different than three years ago. There are four primary reasons:
- Cybercriminals openly released a treasure trove of cyber offensive tools developed by the U.S. intelligence community
- Nation state-sponsored cyber attacks and attacks using sophisticated malware have increased dramatically
- Internet of Things (IoT) devices and Artificial Intelligence are being exploited by attackers
- Cybersecurity programs have not matured to keep pace with the threat environment.
In 2016-17, a hacking group called the “Shadow Brokers” made five releases of NSA-developed cyber weapons that were capable of infecting millions of computers around the world. Between March-September 2017, Wikileaks made 23 releases of information and code on CIA-developed cyber tools used to hack smart phones, computers, and smart televisions. Combined, these releases of the U.S. Government’s cyber assets provided countries, cybercriminals, and terrorists around the globe with some of the most sophisticated offensive cyber weapons.
Many of the tools leveraged vulnerabilities in software that the U.S. intelligence community had discovered, but had not informed the software providers about. Thus, patches had not been developed, and all of the users of these systems were vulnerable. Any unpatched systems today remain vulnerable to these “clickless attacks” that do not require tricking someone to click on an attachment or link; the malware can enter a system by exploiting an unpatched software vulnerability.
Then came the pandemic. The cybercriminals realized that computer rooms were unmanned, cybersecurity personnel were not able to monitor the system as effectively, patches were not being applied as consistently, and people were working from devices that did not have an up-to-date operating system or current antivirus software. They also preyed on people’s desire for information on the coronavirus, the need to buy face masks and personal supplies, and the desperate need felt by so many for financial assistance.
Just a couple of months into the pandemic, the FBI’s Internet Crime Complaint Center reported a 300% increase in cybercrime complaints. Cybersecurity Ventures recently predicted the global cost of cybercrime will hit $6 trillion in 2021. The privacy/security company Blackfog reported that ransomware attacks were highest in the U.S. and U.K. Experts predicted that a company will be hit with ransomware every 11 seconds and the cost of these attacks will be $20 billion by the end of 2021.
Now, consider there are more than 20 billion IoT devices connected to the Internet, and many of them utilize artificial intelligence technologies. Most of these devices were not built with security in mind, and thus the data they collect and transmit are a rich target. Deloitte noted in a recent report that securing IoT systems is complicated by (1) the sheer amount of data being generated and collected, (2) the fact that much of the data is accessed or held by third parties, and (3) decentralized approaches to risk management. Cyber governance requires an enterprise approach.
Recent Holdings in Delaware Case Law & Increased Derivative Suits
The 1996 Delaware Caremark Derivative Litigation case set forth important case law regarding a board’s duty to ensure that it has adequate information flows to enable it to meet its fiduciary duty of loyalty and good faith oversight. Caremark involved a shareholder derivative action that alleged the board breached its fiduciary duty when it failed to detect and stop employee violations of state and federal laws applicable to health care providers, which resulted in the company paying $250 million in fines and payments to injured parties. The court noted that directors’ fiduciary duty includes a duty to act in good faith to ensure that an adequate corporate information and reporting system is established and monitored, and the failure to do so may cause a director to be liable for losses caused by compliance violations.
Caremark claims have been considered to be one of the most difficult cases to win, in that the plaintiff essentially had to prove that the directors acted in bad faith because they completely failed to implement an information and reporting system and failed to monitor it. In 2019 and 2020, Delaware courts issued four opinions that collectively work to narrow, under certain circumstances, the deference given to boards, particularly with respect to their oversight of compliance risks.
One of the cases, Clovis Oncology, noted that, “Delaware courts are more inclined to find Caremark oversight liability at the board level when the company operates in the midst of obligations imposed upon it by positive law yet fails to implement compliance systems, or fails to monitor existing compliance systems, such that a violation of law, and resulting liability, occurs.” The cases indicate that regulated industries and companies with a high level of compliance requirements should ensure that they have implemented board-level oversight systems, with appropriate information flows and reporting, to enable the board to monitor compliance and key risks and respond in a timely manner.
Information Security Governance Standards and Legal Requirements
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard, ISO/IEC 27001, is the “gold standard” for information security globally and is followed by most multinational corporations. The ISO/IEC issued the only global standard on governance of information security, ISO/IEC 27014, in 2013 and updated it at the end of 2020. Best practices on governance of cybersecurity also have been developed by the National Institute of Standards and Technology (NIST) and the Federal Financial Institution Examination Council (FFIEC) and other private sector organizations.
The New York Department of Financial Services (NYDFS) enacted Regulation 500, which became effective March 1, 2017, and requires financial institutions to establish a complete cybersecurity program, including policies and procedures, training, risk assessments, vulnerability scans and penetration testing, access controls, and encryption of non-public information. The board chair or an officer must submit a signed statement annually to NYDFS certifying that the organization is in compliance with the requirements of the rule. The National Association of Insurance Commissioners’ (NAIC) Data Security Model Law has similar governance requirements and has been adopted in eleven states. On a federal level, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA) also contain governance requirements.
Cyber governance standards may be deemed to have established a known duty to act, and laws require compliance. Today, D&Os that do not have a defined process for managing and overseeing cyber risks gamble being found liable for failure to act reasonably and in good faith to ensure their organization complies with legal or regulatory requirements and best practices regarding privacy and cybersecurity.
Management of Cyber Incidents
The management of a major cyber incident is more difficult – and risky – if the organization does not have well-developed and tested incident response plan (IRP) and business continuity/disaster recovery (BC/DR) plan. D&Os need to ensure their organization’s IRP is aligned with best practices and standards and they can restore data if it becomes corrupted, erased, or encrypted.
The board and senior management should ensure that digital asset inventories are developed in accordance with best practices, including assignment of owners, data classification, and application risk categorization. The IRP must be able to guide the organization through any form of attack. It should include an Incident Response Management Policy that has been approved by the board and defines roles and responsibilities during an incident, escalation of incidents, and steps to mitigate losses. Rosters of internal and external personnel that may be needed during a response are an essential component of an effective IRP.
Boards and senior management have an important role to play in managing a serious attack. They should take part in tabletop exercises to ensure the IRP is aligned with operations, roles and responsibilities are appropriate, and the plan can effectively guide the organization through various types of incidents.
Depending upon the severity of the incident, the board may wish to retain a trusted advisor to help it analyze the various data flows from an incident and review response options. All remediation efforts should be documented and presented to insurance carriers in an attempt to minimize insurance rate increases after the attack.
All of this means that the cybercriminals are winning and plaintiffs may be too if boards fail to ensure a cyber governance framework is established that identifies key cyber risks, ensures appropriate data flows on these risks, and establishes a board process to review this information and monitor cyber risks and compliance requirements. Such a failure may be viewed as a breach of the D&O duty of loyalty and a failure to act in good faith.
Boards and executives need to begin the hard work of governing cyber risks by following best practices and standards, allocating appropriate resources to cybersecurity, and developing risk transfer strategies. A Ponemon/AttackIQ report released in September 2019 indicated that “only 28% percent of respondents say their board and CEO determines and/or approves the acceptable level of cyber risk for the organization.” If companies focus on only one area of their cybersecurity programs this year, let it be cyber governance.