Cyber Risk

Board Directors Worry about Cyber Security

A recent ruling requiring "reasonable care" in securing data increases liability risk.
By: | November 18, 2015

Corporate board members view cyber breaches as a growing threat, and the potential for liability has many looking to the growing cyber security insurance market, according to a recent survey.

Nine of 10 surveyed board members believe regulators should hold companies responsible for cyber breaches when “reasonable care” has not been taken to secure customer data, according to the survey by NYSE Governance Services and Veracode.

The survey questioned 276 board members about the way cyber security liability is being discussed in the boardroom.

With cyber attacks on the rise, boards and management are growing increasingly wary of any corporate behavior that can impact their brand or shareholder value. A 2014 study by Deloitte found that security is now the second-leading risk to a company’s brand.

The rise in high profile cyber attacks is expected to spark more lawsuits from both consumers and regulators to determine liability.

“Boards would be wise to start putting pressure on their companies to really focus on understanding their cyber security risk … to prevent brand damage and loss in shareholder value.” — Sam King, chief strategy officer, Veracode

“Boards would be wise to start putting pressure on their companies to really focus on understanding their cyber security risk … to prevent brand damage and loss in shareholder value,” said Veracode Chief Strategy Officer Sam King.

As a result of the increased focus on cyber liability, 50 percent of the NYSE/Veracode respondents said they expect investors to demand more transparency into their cyber security plans.

The report said boards would be wise to disclose more details about oversight and efforts when cyber incidents occur, or they could risk losing investor confidence.

FTC Lawsuit on “Reasonable Care”

Almost half of directors and officers who were familiar with the Wyndham Worldwide lawsuit said the case has influenced their decisions on cyber security liability.

The Federal Trade Commission alleged the hotel chain violated Section 5 of the FTC Act by failing to employ reasonable data security measures. Three breaches in 2008 and 2009 allowed hackers to steal card data from more than 619,000 consumers, leading to more than $10 million in fraudulent charges.

In the August 2015 ruling by a U.S. appeals court, FTC Chairwoman Edith Ramirez said it “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data” and that it is “critical” that the FTC take action when companies fail to take “reasonable steps” to secure consumer information.

The decision is critically important to companies because it opens the door to further enforcement of such standards by the FTC.

The survey raises questions about how cyber-related liabilities will be framed, and when a company will be considered negligent for ineffectively securing sensitive information. Board members must ask what constitutes “reasonable” efforts to protect data and what security measures should be maintained, according to the NYSE/Veracode report.

It noted that the “Verizon 2015 Data Breach Investigations Report” found that 99.9 percent of the Heartbleed-like software vulnerabilities exploited in 2014 were publicly announced more than a year before.

“Was it ‘reasonable’ not to patch a known vulnerability? And should businesses be held liable for failing to do so?” — Verizon 2015 Data Breach Investigations Report

“Was it ‘reasonable’ not to patch a known vulnerability? And should businesses be held liable for failing to do so?” the report asked.

Third-Party Vendor Vulnerabilities

Surveyed board members also raised questions about third-party software providers and 90 percent said those providers should bear legal responsibility when vulnerabilities are found on their software.

Veracode’s “2015 State of Software Security Report” found that nearly three-fourths of enterprise applications produced by third-party providers had one or more vulnerabilities listed in the OWASP Top 10. The OWSAP Top 10 is a list of 10 critical security vulnerabilities, such as weak authentication management and security misconfiguration.

“As insurance providers tighten requirements for claims payouts, companies will be forced to meet a minimum standard of acceptable practices, thereby improving their overall security posture.” — Sam King, chief strategy officer, Veracode

While nearly almost all respondents said they are increasing or planning to increase security assessments to address liability concerns, two-thirds said they are also putting liability clauses into agreements with their third-party providers.

Some companies are also increasing audit committee oversight and hiring external consultants to reduce their vulnerabilities.

The growing risk has also given birth to a rapidly growing cyber security insurance market, which is expected to triple to $7.5 billion in the next five years, according to a recent report issued by PwC.

Of the NYSE/Veracode survey respondents who had such insurance, 35 percent said they currently insure against software coding and human errors that can lead to a loss of sensitive data.

Veracode’s King said cyber liability insurance may eventually establish a new baseline for cyber security best practices and requirements.

“As insurance providers tighten requirements for claims payouts, companies will be forced to meet a minimum standard of acceptable practices, thereby improving their overall security posture,” he said.

Craig Guillot is a writer and photographer, based in New Orleans. He can be reached at [email protected].