345 Boylston St, Newton, MA 02459
Now Open: 120 Highland Ave, Needham, MA 02494
Opening Soon: 950 Highland Ave., Needham, MA 02494
Need to Know Which Car Insurance is Right for You?
Putting Cyber Risks on the Board’s Radar Screen
By Tracey Vispoli
It is imperative that directors and officers be significantly involved in ensuring that the organization is sufficiently protected from cyber risk.
Network security breaches, with their potential for releasing the private information of thousands of customers, are more likely than ever to occur these days. Information systems can be targeted by hackers, disgruntled employees, cyber terrorists, viruses, and worms. These security breaches can expose companies to class-action lawsuits, significant recovery costs, and irreversible damage to the corporate brand.
In the past, protecting an organization from cyber threats was mainly the domain of information technology gurus. However, the Sarbanes-Oxley Act of 2002 has created significant changes in corporate governance—including the oversight of cyber security. Although the law doesn’t address cyber exposures as such, it is specific in saying that company officials must sign off and attest to a controlled environment. Clearly, then, security weaknesses in the cyber world are a control issue. Since the fiduciary duties of board directors and corporate officers require them to evaluate and maintain a safe control environment within a company, they are responsible for seeing that the organization regularly evaluates its position on cyber security in the same way it analyzes any other risks.
The size of an organization or the types of services it offers is not a differentiating factor when it comes to cyber risk. Financial institutions of all sizes, from a community bank to a multinational asset management firm, are just as prone to security breaches and other cyber exposures. What does matter is whether or not the company implements and maintains a “best practices” model for safekeeping of confidential information.
It is imperative that directors and officers put cyber security on their radar screens and be significantly involved in ensuring that the organization is sufficiently protected from this risk. The board should understand the inherent risks associated with the company’s technology platform (that is, how the company receives, transmits, and stores electronic information).
Annual Testing
Under the light of Sarbanes-Oxley, at least once a year, the board and senior officers must evaluate and approve the company’s electronic security procedures, requiring a test or audit of these policies and procedures. For this periodic evaluation, directors need to be briefed on the state of cyber security at the company, including an outline of the organization’s security philosophy and a high-level overview of its security plan. In some cases, their responsibility may extend to requesting an outside assessment of cyber risk, something akin to an external auditor reviewing the financials of the organization.
Ideally, the person best suited to deliver this briefing is the company’s chief risk officer. Typically, risk managers identify, assess, and control the risk of loss to a company through a variety of loss control measures, including the purchase of insurance to transfer risk. However, risk officers are responsible for assessing a wide variety of operational risks within a company, from its accounting procedures to its technology network. Since cyber security must be viewed holistically as well, the person who makes these board presentations should be the same one who coordinates the internal resources to address this and other issues.
Beyond the Web
Board members need to recognize that companies remain open to security breaches even beyond the vulnerability of their Web sites. For example, a cyber attack could cripple a much-needed service provider. A recent case in point: the much-publicized theft in March of a laptop from a rental car in Palo Alto, California. The laptop, which belonged to an employee of Fidelity Investments, held extensive personal information on the retirement plans of Hewlett-Packard workers, notably their names, addresses, Social Security numbers, and compensation. Acting swiftly, Fidelity notified these members and offered them free credit monitoring for the next year, as well as advice on protecting themselves from identity theft. In this case--as with other recent cases such as BJ’s
Tracey Vispoli
Boardroom Briefing: The Wired Board 15
Wholesale Club, ChoicePoint, and Bank of America--the breach that occurred in the company’s electronic store of confidential customer information had no connection to its Web site.
In 2005, 22 states adopted privacy notification laws requiring companies to disclose security breaches to customers residing in those states, and more states are expected to follow suit. The challenge here is that state laws pertain to the consumer’s location, not the location of the company that experienced the breach. Therefore, directors of companies with customers in all 50 states must make sure their organizations understand the varying requirements for safeguarding confidential information, reporting breaches, and notifying customers, as well as what constitutes confidential information and various reporting thresholds in at least 22 (and counting) different jurisdictions.
Obviously, these state laws add another layer of responsibility and cost to an organization’s cyber security program. A conservative estimate of notification costs is $30 per customer, but some reports put it as high as $100. These laws also enhance the likelihood of litigation from impacted customers should a network security breach occur.
Although requirements for notification now exist in nearly half the states, it’s still impossible to count the number of true cyber extortion events and how much companies may be spending on extortion payments. Nevertheless, it’s believed that cyber extortion payments are occurring more frequently but are simply not being reported because companies either are embarrassed by these incidents or fearful of the reputational consequences if the extortion event became known.
Cyber Liability
As boards scrutinize their companies’ cyber preparedness, they may also want to consider the purchase of a cyber liability insurance policy, which typically addresses the e-commerce crime- and liability-related exposures the company may face and may even cover the costs associated with security breach notification expenses. Unfortunately, the all-too-common disconnect between many risk managers and IT security officers may leave some companies exposed to these potentially costly exposures. Directors need to ensure that an open dialogue exists between risk managers and IT security officers to appropriately consider risk mitigation through cyber insurance.
Clearly, Sarbanes-Oxley has greatly expanded the fiduciary responsibilities of directors to include emerging risks such as cyber liability. Ignoring the cyber threat, or treating it as “just an IT problem,” exposes a company, and ultimately its directors and officers, to potential financial devastation. A comprehensive risk management plan centers on the company’s IT philosophy, its security culture, and on how security is executed. Insurance protection also plays a critical role in this plan. Directors would do well to partner with the company’s risk officer to better understand their organization’s cyber exposures and to ensure that a broad, effective cyber risk management program is in place.
Tracey Vispoli is Vice President and global cyber solutions manager as well as the worldwide manager of financial fidelity insurance for financial institutions for the Chubb Group of Insurance Companies.