Cyber Risk Management: Whose Responsibility?
The consequences of the Capital One data breach go beyond direct loss and business interruption. Within 24 hours of the breach announcement plaintiff attorneys had filed class action suits; the FBI and New York’s Attorney General are investigating. Capital One’s Directors and Officers Liability insurers will have to respond to claims, and other boards will be watching the outcome.
Writing in the Harvard Law School Forum on Corporate Governance and Financial Regulation, consultant John Reed Stark discusses “What the Capital One Hack Means for Boards of Directors” (https://corpgov.law.harvard.edu/2019/08/17/what-the-capital-one-hack-means-for boards-of-directors):
Third parties such as vendors, partners, and business associates can pose “a challenging and existential cybersecurity threat” to organizations. The maturity level of vendor risk management is still lacking despite greater awareness of the problems.
Stark recommends a comprehensive strategic framework for boards of directors to supervise a company’s third party cybersecurity risks, with special attention to cloud computing services. (See my blog “Cloud (In)Security” for a discussion of cloud risks.) According to PWC, 63% of cyber attacks can be traced to third parties. Vendors often have less stringent security making them an easier target for attackers trying to breach large companies. Target, JP Morgan, Applebee’s and BestBuy are examples of companies hacked through third parties.
In addition to individual and/or class action suits and regulatory investigations, board response to a cyber breach must include forensic investigation; compliance with notice obligations; engagement with law enforcement; providing credit monitoring and identity protection (including protecting medical information); handling insurance claims; and communications with employees, business partners and the public.
Because many information technology services are outsourced, boards of directors must examine the practices and procedures of their vendors. This should include mandatory standards including compliance certification; third party risk and security assessments; use of latest technology including encryption and two factor authentication; incident response and disaster recovery plans. Categorize vendors based on the nature and quantity of information they access. Research previous data security incidents and insure proper response procedures are in place. If possible, visit vendor sites. Be sure contracts cover all aspects of the relationship, including privacy, data security and notification provisions. Data privacy laws must be observed, including the GDPR if applicable. Establish procedures for data handling when a relationship ends.
Other subjects for the board to investigate include vendors’ communications, cyber insurance and indemnification.
Data security incidents at a vendor may impact a company, and vice versa. In either case contracts will govern the response and each party should communicate with the other.Boards must be sure requirements are followed.
When cloud services are used, boards must probe the cloud provider’s practices, not limited to security. This should include company policy toward employee use of cloud sharing services.
According to Stark, “cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts”. They are responsible for evaluating cyber exposures and elevating oversight to a core enterprise risk management item.
In a critique of the article, Norman Marks (https://normanmarks.wordpress.com/2019/08/24/cyber-and-the-board/) while calling Stark’s questions “excellent” believes he asks too much of directors. In his view it is management’s role to address cyber risk, answer the questions raised by Stark and the board’s role is to ensure management has the right answers.
In my opinion, both of these articles are worth reading in their entirety.