Cyber liability from perspective of board members and execs

Companies are increasingly reliant on digital spaces and the continuing stream of high-profile data breaches means cybersecurity topics – often in the form of cyber liability questions – are now a part of board and senior management discussions instead of only being discussed at the IT level. Security, following “ethical issues,” is the second-leading risk to a company’s brand.

Although getting hacked has a huge impact on the bottom line, NYSE Governance Services and Vercode found that “the extent of the brand damage caused by breaches is often linked to boards’ level of preparedness. It is therefore a board’s fiduciary duty to ask the right questions to ensure due care has been followed.”

“Did your company have a material security breach in the past 24 months?” An alarming 47% said “yes” when IID and the Poneman Institute surveyed 692 IT and IT security professionals from global businesses as well as government agencies. You’re doing it wrong if you wait until after a breach to start talking about responsibility. Cyber liability will smack someone and right now determining liability is being defined by the courts.

NYSE Governance Services, in partnership with Veracode, surveyed 276 board directors and senior executives across publicly traded companies “to draw parallels between businesses’ cyber risk management practices and their efforts to address cybersecurity liability matters.”

• 9 out of 10 directors and officers believe regulators should hold businesses liable for breaches if they don’t make reasonable efforts to secure customer data.
• With 72% expecting more cyber-related regulation in the near future, most companies have begun intensifying their cyber risk management efforts.
• As a result of cyber liability concerns, 77% of respondents say they have already increased their security assessments, while an additional 17% mentioned they are planning to do so in the near future.
• 89% surveyed believe that if a company does not make “reasonable efforts” to secure its data, then that company should be held liable by regulators.

What actually constitutes negligence by failing to take “reasonable efforts?”  It appears to have been a sequel injection that led to TalkTalk being breached as well the JP Morgan Chase Corporate Challenge website. Yet “SQLi has been listed on the industry standard OWASP Top 10 for more than a decade. Should TalkTalk or the third-party contractor who built and managed JP Morgan’s site be liable for not finding such a common, well-known vulnerability?”

According to the Verizon 2015 Data Breach Investigations Report, “99.9% of the Heartbleed-like software vulnerabilities exploited in 2014 were publicly-announced more than a year before they were exploited — with some vulnerabilities going back to 1999. Is it ‘reasonable’ not to patch a known vulnerability? And should businesses be held liable for failing to do so?”

Companies with “a dedicated CISO detected more security incidents and reported lower average financial losses per incident,” so should we “assume that a company that does not have a CISO is not making a reasonable effort to secure data?”

• 90% surveyed agree that third-party software providers should be held liable when vulnerabilities are found in their packaged software.

According to Veracode’s 2015 State of Software Security Report, “nearly three out of four enterprise applications produced by third-party software vendors contain vulnerabilities listed in the OWASP Top 10.”

The threat of legal action due to breaches has boardrooms paying attention.

• 43% surveyed say they believe that civil lawsuits from investors and affected customers or criminal prosecutions are sufficient to circumvent cavalier corporate behavior.
• As the U.S. Securities and Exchange Commission and other regulating bodies continue to intensify their focus on third-party risk management, 65% of respondents say they have already begun or are planning to insert liability clauses into contracts with their third-party providers.

How does a company prepare for increased cyber liability?

Key questions raised by the survey highlight the debate needed to frame the liability issue. For example: When should a company be considered negligent in its processes—or lack thereof—for securing sensitive information? What constitutes ‘reasonable’ efforts to address vulnerabilities in web and mobile applications, libraries and frameworks, and other components in its digital infrastructure? Should companies be held liable for not finding a well-known and easily-found vulnerability such as SQL Injection? Is it a minimum ‘standard of due care’ to patch widely-known vulnerabilities such as Heartbleed, and should businesses be held liable for failing to do so?

While 94% of respondents have increased or are planning to increase their security assessments to address liability concerns, two-thirds of respondents say they have also begun or are planning to insert liability clauses into contracts with their third-party providers. Respondents also mentioned hiring outside consultants as well as ramping up security training. Many are also increasing audit committee and board-level oversight – a strategy that’s in line with expert recommendations to report on the businesses cybersecurity measures to the audit committee, and to the full board annually.

The majority of companies are counting on cybersecurity insurance to avoid future cybersecurity liability. Last month Reuters reported the threat of cyberattack is so imminent that the cyber insurance market is expected to triple to about $7.5 billion by 2020.

Most of the directors and officers said their company was covered by some form of cyber insurance. A whopping 91% have “business interruption and data restoration protection;” 54% also have “coverage for expense reimbursement (PCI fines, breach remediation/notification, extortion, etc.).”

Having cyber insurance isn’t the same thing as having it pay out. Veracode explained, “For a payout to occur, insurance companies will require that a company proves it had adequate measures in place to protect its data. A growing number of companies are therefore preparing for this contingency, with 52% subscribing to employee/insider threat liability coverage;” 35% are “seeking coverage against loss of sensitive data caused by software coding and human errors.”

“Just as the evolution of fire insurance drove the creation and enforcement of minimum standards in the way buildings are constructed and protected, cyber liability insurance may soon establish a new baseline for cybersecurity best practices,” said Veracode chief strategy officer Sam King. “As insurance providers tighten requirements for claims payouts, companies will be forced to meet a minimum standard of acceptable practices, thereby improving their overall security posture. Boards would be wise to start putting pressure on their companies to really focus on understanding their cybersecurity risk and set an urgency around the issue to prevent brand damage and loss in shareholder value.”

You can find more detailed stats and conclusions from the survey in the joint NYSE/Veracode white paper “Cybersecurity and Corporate Liability: The Board’s View.” There are also a trio of nifty infographics.