Article

D&O risk in the age of cyber insecurity

June 29, 2017
| United States, United Kingdom
By Rob Yellen, D&O and Fiduciary Liability Product Leader, FINEX NA

As cyber insecurity advances at breakneck speed, so too do the attendant risks. It’s not just data and firewalls anymore. With cyber threats and privacy breaches making regular headlines, and seemingly everyone — even the CIA — falling victim, we are more cyber-threatened than ever. In this world of ever-increasing risk, the boardroom must take note.

Expectations are changing: As our awareness grows, so do our expectations for the caretakers of our information, investments and cyber-accessible assets. We would all like to believe that someone has this all under control — the government, technology companies, internal IT departments, big corporations, financial institutions, credit card vendors, website hosts, your cell service and phone manufacturer, social media sites, search engines. . . someone, right? The reality is that business and governmental leaders cannot forego the unprecedented opportunities that technology, data and the evolving social paradigm present to make sure we are perfectly cyber secure.

“Risk management is no longer simply a business and operational responsibility of management. It has also become a governance issue that is squarely within the purview of the board. Accordingly, oversight of risk should be an area of regular board assessment.” Martin Lipton, Risk Management and the Board of Directors, Harvard Law School Forum on Corporate Governance and Financial Regulation, February 15, 2017.

Cyber has become a board of directors-level risk management issue: Even with prudent controls, consistent employee training and exemplary IT staffing and performance, the dark side of digital connectivity will eventually find its way in. Cyber crooks will get things of value and criminals will hold us hostage or cause problems. Meanwhile, the threat landscape expands exponentially.

The good news is that awareness of cyber insecurity is growing and our sophistication is maturing. However, with the torrent of noise around cyber insecurity, we risk becoming desensitized — not blasé, just saturated. How much more noise can we absorb and meaningfully digest? Enough already! We have our businesses to run, too.

With cyber risks inherently incorporeal, we also risk being less offended by cyber-attacks than we might if physically attacked, or less outraged than we might if when we knew we were being personally spied on.

On the flip-side, however, the day may come when the perceptions of regulators and investors change. Although cyber-attacks will undoubtedly continue to plague the business world, stakeholders will take increasingly closer looks at what was done to minimize the harm at the top.

Cyber insecurity is no longer just a technology problem. Siloing, we now know, is incomplete and ineffective. As cyber insecurity matures, best-in-class risk management solutions are evolving into a holistic, enterprise-wide effort driven from the board room down through the entire organization, engaging everyone from executives to brand new employees. It’s about people and culture.

So, how can we live with cyber insecurity? Are we ready? Can we address cyber threats much like we do other unavoidable risks like germs and accidents — as just part of everyday life?

We may not have a choice. While we can mitigate cyber risk, we cannot eliminate it. The risk is too dynamic and pervasive. The financial incentives of the dark side of cyber are way too high, and our current legal and enforcement regimes are still relatively ill-equipped to address this incorporeal, ubiquitous risk.

Insurance (cyber-specific) has a role: Much like we insure against our exposure to physical accidents and liabilities, we do have insurance solutions to help transfer difficult-to-manage cyber insecurity risks.

Cyber and D&O insurance: While cyber insurance plays a critical role in managing direct cyber insecurity risk, current cyber insurance does not reach indirect risks traditionally addressed under D&O insurance. This leaves unanswered the question of how well will D&O insurance respond if liability for cyber insecurity reaches the C-suite or the boards of directors. The consensus suggests that for the perils typically covered under D&O liability insurance, such as derivative and securities class action lawsuits, D&O insurance should already respond.

Cyber exposed

For this cyber insecurity discussion, let’s assume:

  • Cyber-attacks on your business are commonplace, sophisticated and persistent. Because they almost certainly are.
  • Information has leaked, and it is readily available to criminals on the dark web.
  • On your system somewhere is dormant, undetected malware that has expanded and become “weaponized.” ƒƒ
  • Your internet-capable phones (cell and wired or wireless VOIP) and other networked devices allow competitors and others to eavesdrop on your every word — even when those devices appear off.
  • A loss of internet connectivity will materially impact the viability of your business, and a prolonged loss of internet connectivity could ruin you.
  • Corruption of, or damage to, your systems by ransomware practitioners (with varied agendas) could materially impact your business. Imagine if your accounts receivables were permanently unreliable.
  • Your organization holds, or is responsible for, private and confidential data, if only for your employees.    

Now, let’s assess potential directors and officers liability risk.

D&O cyber risks

Fiduciary duties

Risk management clearly falls within directors’ fiduciary duties. Not day-to-day risk management, but oversight of the function. We continuously see more organizations putting more attention into such areas as enterprise risk management (ERM). The appearance of chief risk officers (CRO) within companies is more commonplace today than ever before. In other words, “risk” is on the agenda for board meetings, and many stakeholders in companies entrust boards of directors with the power to manage risk prudently. But while directors clearly have these fiduciary duties, the bar for plaintiffs to establish those duties have been breached is still pretty high.

“Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities . . . only a sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure reasonable information and reporting system exits — will establish the lack of good faith that is a necessary condition to liability. Such a test of liability — lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight — is quite high.” In re Caremark International Inc. Derivative Litigation, 698 A.2d 959, 971 (Del. Ch. 1996)

With respect to cyber insecurity, plaintiffs have tried to make claims against directors and officers stick. So far, no success. No wonder, with the bar so high.

Federal laws and regulations

While fiduciary duties may not be the driving D&O risk arising from cyber insecurity, regulatory risk may be scary enough. The following highlights are intended to be illustrative rather than exhaustive.

NIST Framework: The National Institute of Standards and Technology (NIST) published The Cybersecurity Framework in February 2014. In January this year, (NIST) issued a draft update to the Framework with new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the updated Framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.

The SEC has recently voiced its support of the Framework for Improving Critical Infrastructure Cybersecurity released by NIST and has indicated that as part of fulfilling their risk oversight function, boards should at a minimum work with management to ensure that corporate policies are in line with the Framework’s guidelines.

Dodd-Frank Act: The Dodd–Frank Wall Street Reform and Consumer Protection Act was signed into federal law on July 21, 2010. Among other things, Dodd-Frank requires bank holding companies with total assets of $10 billion or more, and certain other non-bank financial companies as well, to have a separate risk committee. That committee must include at least one risk management expert with experience managing risk of large companies.

Federal Trade Commission: The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). Since 2005, the Federal Trade Commission used this provision to bring actions against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. An August 24, 2015 decision in Federal Trade Commission v. Wyndham Worldwide et al., 799 F.3d 236 (3d Cir. 2015), confirmed that certain data security practices could be considered “unfair” under § 45(a) and that the FTC’s “unfairness” authority may encompass cyber insecurity.

Financial Services Regulators: On Wednesday, October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board (FRB) (collectively, the “Bank Regulators”) jointly announced proposed rules to enhanced cyber risk management standards for financial institutions that would apply to large and interconnected entities under the agencies’ supervision. These standards may impact business well beyond financial institutions since the proposals may apply, to some extent, to their vendors, too. Among the prescriptive elements of the proposed rules:.

  • ƒƒThe board must have deep knowledge in cybersecurity or direct access to external expertise.
  • Certain risk functions, including cyber risk professionals, must have direct and independent reporting lines to the board.
  • A detailed, board-approved cyber risk management strategy should be in place..

Established board-approved cyber risk appetite and tolerances, which cover external and internal risks, which explicitly aim, over time, to reduce aggregate institutional and sector-wide cyber risk.SEC CF Disclosure Guidance: Topic No. 2: Cybersecurity (2011): On October 13, 2011, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity providing the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The guidance advised,

“(1.) [D]isclosure requirements may impose an obligation on registrants to disclose [cybersecurity] risks and incidents.

(2.) Material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”

The guidance also advised that appropriate disclosures may include:

  • Business and Operations Risk: Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • Outsource Risk: To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Historic, Material Cyber Incidents: Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Undetected Incident Risk: Risks related to cyber incidents that may remain undetected for an extended period; and
  • Insurance: Description of relevant insurance coverage.

Test Case — SEC Disclosure Requirements

SEC disclosure requirements are at the heart of a reported SEC investigation of a global internet information company that suffered two massive data breaches, and the timing of its disclosures of those breaches. The results could become a watershed event.

Background: Since the SEC’s guidance in 2011, D&O risk experts watched for signs that the SEC or plaintiffs’ bar would use it as a springboard for a new wave of class action litigation. However, those concerns fizzled as securities lawyers worked their wording magic and effectively took the wind out of the class action sails. An SEC investigation into cybersecurity disclosures is also not new. The SEC has investigated multiple companies over whether they properly disclosed breach events. Those investigations include headline-making security breaches like those of a large retailer that suffered multiple breaches that compromised hundreds of millions of credit and debit card accounts.

Why this one is different: A two-year delay between the breach and its disclosure seems on its face very concerning. That the issuer’s core business was being acquired for $4.83 billion during that delay, and that the disclosure of the cybersecurity events led to a $350 million decrease in the purchase price gives us ample reason to be concerned that the SEC could take game-changing action.

But what will the SEC do? Too soon to tell, but any SEC action could provide a basis for the plaintiffs’ bar to successfully pursue cybersecurity-based securities class actions.

Cyber disclosure-based class action: At least one law firm has not waited. A securities class action has been filed against the company, together with its CEO and CFO, alleging that during the class period, the company made false and misleading statements over multiple quarters. The defendants are alleged to have failed to disclose that hackers had stolen information in two distinct incidents, over two years, involving more than 500 million and one billion accounts, respectively. Plaintiffs are seeking recovery based upon Securities Exchange Act Section 10(b), 15 U.S.C. § 78j(b), and SEC Rule 10b-5, and for control person liability under Exchange Act Section 20(a).

SEC Proxy Rule: Effective February 28, 2010, the SEC’s Proxy Disclosure Enhancements final rule went into effect. The rule addressed, among other things, the board’s role in risk oversight. Intended to promote greater accountability and enhance information available to shareholders, with respect to risk, the rule provides,

Risk: by requiring disclosure about the board’s role in risk oversight and, to the extent that risks arising from a company’s compensation policies and practices are reasonably likely to have a material adverse effect on the company, disclosure about such policies and practices as they relate to risk management;”

State laws and regulations

NY-DFS, Cybersecurity Requirements For Financial Services Companies: Effective March 1, 2017, DFS now requires banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program. This new regulation sets minimum standards, requires, among other things, a risk assessment, disclosures, training and monitoring, and the encryption of nonpublic information.

Beginning February 15, 2018, covered entities must annually prepare and submit a Certification of Compliance to the superintendent. Essentially, that certificate requires the chairperson of the board or a senior officer to certify:

(1) The relevant directors or officers have reviewed the required documents, reports, certifications and opinions; and

(2) To the best of the directors’ or officers’ knowledge, the company’s cybersecurity program complies with the regulation.

Signed by the Chairperson of the Board of Directors or Senior Officer(s).

In the event of a data breach, the DFS or plaintiffs may argue that the certifying officer made deliberate or inadvertent misrepresentations in the certification.

International Organization for Standardization

The International Organization for Standardization (ISO), an independent, non-governmental international organization, published its own information security standard known as the ISO/IEC 27001, which provides another framework for cybersecurity implementation.

D&O insurance coverage

With the exception of D&O policies that have an explicit cyber exclusion, public company forms generally handle cyber-related D&O claims as well as they handle other D&O claims. Claims for breaches of fiduciary duty, whether direct or derivative, would generally fall within the scope of typical D&O coverage. Likewise, private company D&O forms largely handle claims for breach of fiduciary duty well absent a specific exclusion. To the extent a D&O claim is based upon public company disclosure claims (including securities class actions) and/or merger objection claims (somehow tied to cyber insecurity), today’s D&O policies would generally work as expected for claims of this type. Nevertheless, there are a few things to consider about cyber insecurity that differentiates that risk from others.

First-party loss: Except for certain costs of responding to an investigation, the cost of defense, and any covered crisis management costs, the typical D&O policy provides coverage for liability for third-party loss. It is not designed to cover first-party loss resulting from a cyber event — no coverage for forensics work, loss of data, damaged hardware or other property, or business interruption. That coverage may be available under a typical cyber insurance policy.

Terrorism exclusion: Cyber claims may be the result of hacktivists, government and/or quasi-government actors. If so, a war or terrorism exclusion that fails to explicitly carve out cyber-based events could be triggered and restrict coverage.

Privacy exclusion: Some carriers may assert that any invasion of privacy exclusionary wording in their policies (if they have that exclusion) excludes certain cyber claims — direct or indirect. Even if the carrier has added a limited cyber carve-back, there may be limited coverage. If not sufficiently broad, the carve-back may actually strengthen the exclusion. Simply by adding the carve-back, the carrier has a stronger argument that the privacy exclusion was intended to exclude some cyber loss. The take away: Make sure any carve-back is broad enough to not limit coverage you would expect under a D&O form, particularly for the individual D&Os.

Cyber exclusions: Although not yet commonplace, some carriers require a cyber exclusion for private companies. They do so because of the open-ended, broad form entity coverage that is typically part of a private company’s D&O coverage. If your policy has such an exclusion, make sure it does not interfere with the traditional role of your D&O insurance.

Conclusion

With cyber insecurity risk and cybersecurity regulation so dynamic, directors and officers should keep a close eye on their increased risks. Regulations like the Enhanced Cyber Risk Management Standards and the DFS Cybersecurity Requirements For Financial Services Companies are prescriptive and could result in heightened risks for directors and officers, whether from enforcement or any civil liability for not preventing a serious breach. A professionally placed D&O policy should respond well in case you are faced with cyberrelated claims or investigations, but, until our collective cyber insecurity subsides dramatically, we recommend a copious review of your policy to make sure it is optimized to avoid unforeseen gaps in coverage.

Related services


Also of interest


Contact

  • Rob Yellen
    D&O and Fiduciary Liability Product Leader, FINEX NA