Opening the cyber-kimono
The high-profile hackings of Target and Wyndham Worldwide have spurred lawsuits against corporate officers and directors, regulatory investigations and congressional hearings. These data breaches constitute yet another warning to corporate America that cyber-crime isn’t just an IT issue and that it certainly demands the attention of business leaders.
The aftermath of these hackings should be a teachable moment. Aside from the government investigations, 140 separate civil lawsuits have been filed as a result of the Target hacking, including several shareholder derivative actions against the company’s board members and directors, alleging that they ignored ‘red flags’ concerning the security of the customer information, and singularly failed to implement ‘any internal controls… designed to detect and prevent such a data breach.’
The litigation against Wyndham’s officers and directors makes similar allegations, charging that they, too, failed to ‘ensure the company... implemented adequate information security policies and procedures.’
While C-suites and boards of directors get to grips with this new cyber-reality and their relevant legal duties, a recent PwC report finds that the cyber-security programs of US firms do not rival ‘the persistence and technological prowess of their cyber-adversaries.’
While it might seem obvious that companies would consider nearly any significant cyber-attack a material event that requires proper disclosure, the reality is that the legal and regulatory implications of attacks are murky. In 2011 the SEC issued ‘guidance’ to companies on when to disclose a cyber-incident to investors. But the SEC’s guidance is just that – guidance. It is not a rule or regulation, nor is it mandatory. It also leaves many details to the discretion of individual companies.
The guidance explains that federal securities laws are designed to ensure the disclosure of ‘timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision.
‘Although no existing disclosure requirement explicitly refers to cyber-security risks and cyber-incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents,’ the SEC guidance continues.
Companies have remained reluctant to mention cyber-security in their public filings, however, even while the number of companies reporting concerns about cyber-security has more than doubled in the past two years. Companies including Google, AIG and Quest Diagnostics have all ultimately filed revised cyber-security disclosures after being chided by the SEC for not doing so.
Still, many companies continue to refrain from disclosing data breaches or provide only vague disclosures. This is because disclosures can undermine a company’s cyber-security efforts or jeopardize an ongoing law enforcement investigation. The SEC itself acknowledges that providing too much detail could create a ‘road map’ for infiltrators.
Other difficult questions remain. Should the SEC adopt a regulation giving corporations a pass from public disclosure obligations if they refer the matter to law enforcement? Such a rule could easily be abused. A corporation’s concerns over legal liability and protecting its reputation and stock price already create powerful incentives not to go public. It could prove irresistible for a victim corporation to make a half-hearted referral to law enforcement as a fig leaf to avoid an embarrassing – and potentially devastating – disclosure.
Furthermore, once a disclosure to law enforcement has been made, the company will likely get little information about the status or progress of any investigation. Can a company that reports an attack to law enforcement, and then hears nothing back for weeks or months, continue to keep information about the attack from its investors?
At an SEC roundtable on
cyber-security in March 2014, participants debated whether the SEC should transform its
guidance into rules to provide
corporations with more certainty as to what is expected of them when faced with a cyber-attack.
In any case, a regulatory slap on the wrist is just the start; the potential legal liability for a company, its executives and its board is staggering. Lawyers and regulators may begin sharpening their knives to seize upon any organization that has not taken adequate measures to shore up – and communicate about – its digital infrastructure.
There are no easy answers, but there are several things that should happen immediately:
1. The SEC must step up with guidance that is more direct and detailed, and which takes into account the significant competing interests companies face, especially if public disclosure would jeopardize ongoing law enforcement efforts or expose critical vulnerabilities. If the federal government is going to embark on a high-profile cyber-campaign, it must give businesses clear direction and guidance.
2. Regardless of regulatory guidance, corporations need to get specific with their cyber-security preparedness – not only to protect themselves against attack, but also to help them defend against lawsuits. Directors and officers need to ask – and disclose in their public filings when appropriate to do so – key questions about cyber-security protocols in place, including:
- Is there a board committee or board member with the requisite background and experience to oversee cyber-risks?
- Is it prudent for the board to retain a cyber-security consultant or adviser to assist in asking questions of management and the IT department?
- What are the greatest cyber-risks to the company? How often are those risks reassessed?
- How should the board receive its cyber-briefings?
- Is there an appropriate cyber-incident response plan in place at the company? Does it include a specific media and public relations plan and outreach to all key constituents including clients, vendors, customers, law enforcement, regulators and shareholders? How often is this plan rehearsed? How often is it reviewed and/or updated?</li>
3. Corporate secretaries should start keeping appropriate records of the board’s process in cyber-security matters.
4. Consider whether cyber-insurance makes sense. More and more companies are purchasing it: according to Betterley Risk Consultants, total cyber-insurance premiums paid last year were $1.3 billion, compared with $1 billion in 2012. Somewhat surprisingly, the majority of cyber-insurance policies were issued to small and mid-sized companies.
The solution is not simple. Just having the best technology in place isn’t enough – companies must adopt and articulate clear policies that outline the steps taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors, address and explain their insurance coverage, and specify the frequency with which security policies are updated.
It’s been almost two years since former defense secretary Leon Panetta invoked the specter of a ‘cyber-Pearl Harbor’ in describing the threat of cyber-attacks on US businesses and institutions. Since then, cyber-attacks against US corporations have grown in frequency and intensity – and it’s time the responses did as well.
Craig Newman is managing partner of law firm Ricghards Kibbe & Orbe and chief executive officer of the non-profit Freedom2Connect Foundation.