The risks associated with cybersecurity and data privacy protections are well recognized in today’s world. A number of high-profile cases have emerged recently showing how important it is for companies to address these risks. But some degree of confusion exists regarding the corporate fiduciary duty that company directors have in this area. And without definitive rules and standards as of yet, knowing how best to protect one’s self in such an environment is challenging.
With this in mind, Bold Business sat down with its own cybersecurity and data privacy protection expert, Matt Nelson. As Chief Security Solutions Consultant, Matt excels in risk-based IT security strategies and enterprise-scale security solutions. And with over 20 years’ experience leading security operations and governance, risk, and compliance organizations, his insights are extremely valued. Regarding cybersecurity and data privacy issues and corporate fiduciary duty, the following summarizes Matt’s perspective on today’s environment.
Bold Business: According to some statistics, cybercrime is predicted to reach a level of $6.1 trillion in 2021. In terms of enterprise risk, at what level of priority do you see cybersecurity and data privacy an issue for corporations?
Matt Nelson: Cybersecurity and data privacy risks are operational business risks that need to be considered. These need to be prioritized alongside all other identified business risks. Traditionally, they have been treated separately at the level of a CSO or CISO. But they belong at the risk committee level. In essence, must be considered at par with other risks as part of a company’s overall risk equation. Just as with other operational risks, decisions need to be made about which parts of the business are at risk. Likewise, the value at risk and risk transfer options (contractual or insurance-related) should be considered.
When cybersecurity and data privacy risks remain down in the IT trenches, risk treatment options are rarely part of Board discussions. In fact, Board members may not even be aware that critical business processes are at risk. This can leave Board members blindsided and the company vulnerable to litigation and fines. This is especially true if a company is found liable of negligence due to poor cybersecurity and data privacy practices.
Bold Business: Corporate directors and executives are assigned a duty of care and a duty of loyalty as corporate fiduciary duty. Can you explain these responsibilities and how they relate to cybersecurity and data privacy matters?
Matt Nelson: Duty of care and duty of loyalty are major responsibilities of corporate directors and executives. Improper execution of this corporate fiduciary duty can result in liability loss exposures for companies. Duty of care requires that corporate management keep themselves informed of corporate audit and risk committee findings. Likewise, this requires them to exercise reasonable care in making informed business decisions. This does not mean they have to become experts in cybersecurity and data privacy. But it does mean that they need to be aware of the information coming from their risk officers. If they see a gap in what’s being provided, they should ask for cyber risks to be communicated to the Board.
Duty of Loyalty is not as obvious as a corporate fiduciary duty in the cybersecurity and privacy risk space. Company officers have a duty to their stockholders to act in the best interests of the company. Likewise, they have a duty to protect stockholder investments as part of their responsibilities. It is noteworthy that cybersecurity and privacy risks can expose a company to regulatory and contractual losses. And this, in turn, may result in adverse impacts to the financial health of the company.
Bold Business: When it boils down to it, who has primary oversight responsibility and corporate fiduciary duty for a company in terms of cybersecurity and data privacy?
Matt Nelson: A company’s Board of Directors has the primary oversight responsibility for all risk as part of their corporate fiduciary duty. This oversight includes responsibility for ensuring that their enterprise risk management program assesses, monitors, and reports on cybersecurity and privacy risks. And this includes their potential impacts to the company’s bottom line. This level of visibility will assist in the protection of company assets. Such assets include both intellectual property as well as assets belonging the clients and partners.
Bold Business: One of the criteria for duties of care is to reasonably attain all relevant information and critically analyze it. How does this apply to cybersecurity and data privacy in practical terms?
Matt Nelson: While it’s true that duty of care requires critical analysis, it does not necessarily require that the Board suddenly become cyber-experts. However, this corporate fiduciary duty does require oversight officers to include cybersecurity and data privacy risks in their risk portfolio. Likewise, risk/audit committees, depending on the Board’s structure, should address these risks in terms of legal, contractual, and regulatory requirements. This should include recommendations from risk/audit committees on risk treatment actions, whether it be avoidance, retention, or transfer. And such recommendations may include options for cyber-insurance risk transfer for the Board to consider.
Bold Business: What aspects of a crisis protocol in dealing with cybersecurity and data privacy breaches are needed for them to be effective and comprehensive?
Matt Nelson: Risk management addresses the potential frequency and severity of risks. Likewise, it also determines how risks will be treated in the event of a loss (assuming pure risks). And risk management focuses on loss prevention controls, crisis management responses, and recovery activities during a specific event. The purpose of a crisis management plan when dealing with cybersecurity and data privacy breaches is to minimize harm. This includes threats to the organization’s information assets as well as the business processes operated by those assets.
Overall, a crisis protocol requires a documented Business Continuity Plan based upon an up-to-date Business Impact Analysis. In addition, it requires documented and tested response and recovery procedures. And lastly, the personnel responsible for the execution of the plan must be identified and trained. If organizations don’t have these resources in place, a partner may need to be identified to assist with these activities. Some cyber-insurance firms provide these resources as part of cyber-claim activities. In many cases, a company may actually already have a trusted partner working with them on other remediation activities.
Overall, such a crisis protocol is normally included in corporate fiduciary duty related to cybersecurity and data privacy. An organization should realize that inadequate crisis management may result in serious adverse losses for the corporation. These may include not only financial and reputational damage but legal actions, fines, increased premiums, and loss of competitive advantage.
Bold Business: Do you see value in having corporations requesting independent audits of their company’s cybersecurity and data privacy risks, and if so, how often should these be performed?
Matt Nelson: Independence is a fundamental audit principle, and it applies to both internal and external audits. An internal auditor is not allowed to audit any area where they have contributed to the design of the controls. Likewise, an external auditor is not allowed to consult on controls design and then audit those controls.
An organization may choose to employ a combination of internal and external auditors for several reasons. Even when an internal audit function exists, an organization may choose to use external auditors to enhance their audit program. This provides an independent view of cybersecurity and data privacy risks. Also, an independent external audit is protected from management influence that might result in inadvertent bias. Finally, internal auditors may need the services of an external auditor in specialized areas that are not their core areas. This is especially true for areas involving new and emerging technologies and for audit processes that might benefit from improvements.
In some cases, contractual or regulatory agreements determine the frequency of cybersecurity and data privacy risk audits and auditor qualifications. For example, payment card companies define the type and frequency of PCI security audits required. The PCI Security Standards Council similarly determines auditor qualifications. Other cybersecurity and data privacy audits, such as US FedRAMP and ISO 27001, operate programs requiring registered external auditors. ISO 27001 requires annual internal audits which may be performed by an organization’s audit staff. It also requires an external audit by a qualified assessor on a three-year cycle. Other regulatory bodies, such as Centers for Medicare and Medicaid Services (CMS), require a three-year cycle with all controls tested. These audits must be performed by independent auditors, whether internal or external.
In general, it is recommended that an audit of security controls be performed whenever new controls are implemented. The same is true when new technologies are deployed that change the design and behavior of existing controls.
Bold Business: Many companies rely on periodic summary reporting measures internally to oversee and monitor cybersecurity and data privacy risks. Are these effective in meeting corporate fiduciary duty and related responsibilities, and how often should such reports be generated?
Matt Nelson: Periodic summary reports may be used as a way of reporting identified risks. It is essential for risk committees and Boards to review these reports and address material cybersecurity and data privacy risks. It is essential that processes be in place to assess potential business and financial impacts of these risks and ensure that mandatory disclosures take place. This is certainly true for public companies or companies required to report to regulatory bodies on a periodic basis. Periodic summary reports may also be used in a measurement program where several periods are combined together. These can then be used to track risk trends and gain visibility into areas where further controls reviews are needed.
Bold Business: The Dodd Frank Wall Street Reform and the Consumer Protection Act requires financial institutions to have an independent risk committee to assess enterprise risk as part of their corporate fiduciary duty. Do you encourage this for all corporations in addressing risks related to cybersecurity and data privacy protections?
Matt Nelson: An enterprise-wide risk committee gives the company an advantage when evaluating risk and making risk-based business decisions. Enterprise risk allows for assessments across all risk quadrants (hazard, operational, financial, and strategic) and the organization’s business units. This broader view makes it possible to detect trends and inter-dependencies. And it is part of corporate fiduciary duty.
An example of this would be when equipment no longer supported by the manufacturer is not replaced. In the presence of an obsolete operating system not receiving security patches, a cyber-attack could result in loss of operations. This could result in the shutting-down of a manufacturing plant and cause serious financial loss. This would be certainly true if the operating system was susceptible to ransomware.
If risks are looked at holistically as part of corporate fiduciary duty, the potential for financial loss can be identified. This would then encourage system upgrades to prevent such loss or risk. But in the traditional siloed approach, the IT manager may not have the necessary data to justify the funding needed to replace the systems. This type of scenario may be remedied by communicating and sharing risk information across various silos. This can best be accomplished under the leadership of an enterprise risk management officer reporting to a risk management committee. Consolidating data and looking for patterns that would be undetected in the silo approach naturally leads to better business decisions. And this is an advantage of enterprise risk management approaches over traditional risk management ones.
Bold Business: There remains some ambiguity regarding what exactly reflects adequate cybersecurity measures and oversight. What level of risk do today’s corporate directors and executives have personally in terms of breaching their corporate fiduciary duty related to cybersecurity and data privacy?
Matt Nelson: The major corporate fiduciary duty of company officers involves duty of care, duty of loyalty, duty of disclosure, and duty of obedience. At times, directors may try to invoke the business judgement rule to excuse poor business decisions for duty of care. But this rule will fail to justify choices if available information was not incorporated into appropriate business decisions. Failing to make use of this information is generally perceived as negligence of corporate fiduciary duty involving duty of care.
Similar issues exist with duty of obedience since corporate officers are obliged to comply with all federal and state laws. GDPR, HIPAA and state privacy laws mandatory cybersecurity and data privacy breach notification disclosures. These alone require companies to have measures in place for detection and disclosure of such breaches.
In recent years both the Yahoo! and Equifax data breaches have resulted in D&O litigation. This highlights corporate obligations to report cybersecurity and data privacy breaches to the Board along with planned mitigation activities. The risk committee of the Board must then ensure that these breaches are being addressed. And likewise, they must ensure they are reported in accordance with all contractual, regulatory, and statutory requirements.
Bold Business: Do you believe specific structures and activities will be better defined legally for corporations in dealing with cybersecurity and data privacy risks in the future?
Matt Nelson: Absolutely. Recent derivative lawsuits against corporate officers resulting from large cyber breaches (Target, Equifax, and others) support this. They have shown the importance of ensuring that Boards have adequate visibility of cybersecurity and data privacy risks. This allows these types of risks to be considered, prioritized, and managed in the same manner as other company risks.
The SEC has already produced guidance documentation in this area regarding disclosure requirements. However, this represents guidance and not law at the current time. It is important to note that the SEC has been cautionary in its language. It has stated:
“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
Even if not law, the SEC’s statements have raised awareness. These comments suggest that Boards are expected to consider cyber risks in the same light as other risks for disclosure. In the meantime, it is clear that cybersecurity and data privacy risks are real and are not going away. Therefore, the best defense under the business judgement rule is to ensure processes are in place to provide actionable cyber-reporting. This should be provided by the risk committee, and Board members should consider these risks alongside all other business risks.
If the Board does not feel it has the necessary cyber skillsets, cyber-training and legal counsel may be required. This can shed light on what information should be available and how due care should be provided for potential cyber-breaches.