Risk managers should step up as SEC targets cyber securityReprints
The U.S. Securities and Exchange Commission has sharpened its focus on cyber security preparedness, says Daniel Garrie, co-head of the cyber security practice at Zeichner, Ellman & Krause L.L.P. law firm in New York. Risk managers now have the opportunity to help guide their organizations as they seek to address the vast legal liabilities that are arising from cyber risks.
The spate of cyber hacking in 2014 reflects the ugly reality that today virtually every company either has been hacked or doesn't know it's already been hit. The victims included the U.S. Postal Service and many household corporate names: Sony Pictures Entertainment Inc., Alcoa Inc., Allegheny Technologies Inc., Domino's Pizza, eBay Inc., The Home Depot Inc., JPMorgan Chase & Co. and P.F. Chang's China Bistro Inc., to name a few.
Last summer, the prestigious Center for Strategic and International Studies estimated the annual worldwide cost of cyber crime was more than $445 billion.
Four long years ago, Juniper Networks found that 90% of companies had been hit by hackers at least once. The firms range from retailers to financial services firms, and restaurants, manufacturing, transportation, utility, information and professional services firms.
But not all companies have come to grips with reality. According to a 2013 Deloitte L.L.P. survey included in its technology, media and telecommunications global security report, less than half of survey respondents reported having a response plan in place to address a security breach. And Financial Executives International's magazine reported in May 2014: “Though many companies have made considerable strides to address cybersecurity issues in a strategic fashion, many others still do not have an adequate strategy or plan.''
Worrying is not a cyber risk mitigation strategy. And cyber security attacks can no longer be the exclusive domain of an organization's chief information officer. The risks are too great. Risk managers must guide the board of directors and CEO to provide more than concern; they must help them to provide active oversight to assure that their enterprises have prudently taken all reasonable measures to protect themselves. If they fail to, it can be a “get fired” type of decision.
Increased scrutiny and pressure from corporate boards, insurance companies and government agencies such as the U.S. Securities and Exchange Commission and the Federal Trade Commission are creating a sea change. Importantly, the SEC has sharpened its focus on cyber security preparedness. Specifically, regulation of disclosure by public companies soon may address cyber security as a material risk that needs to be fully and properly disclosed. If these risks are regularly disclosed and a company has legally insufficient protections, lawsuits presenting substantial risk are sure to follow.
Risk managers now must turn to a special new cadre of cyber attorneys to help them guide boards and CEOs in protecting their companies from the vast legal and reputational liabilities that flow from cyber security vulnerabilities. This means that risk managers need to become technologically savvy and fluent in the associated legal issues and risks.
To be effective for boards and CEOs, risk managers and their cyber attorneys today must fully understand all the technological implications of cyber security. Absent full understanding of cyber technology, both are ill-equipped to properly advise and protect companies regarding the legal and regulatory issues involved.
Those issues are multiplying and complex. They range from compliance with government and industry regulatory bodies to litigation arising from lawsuits by customers, employees, shareholders, vendors, joint venture and other corporate partners whose personal data, proprietary information, intellectual property or confidential policies and procedures have been lost, compromised, and/or held hostage.
To protect against substantial liabilities, risk managers must make sure that their cyber attorneys are able to address and resolve these central legal issues:
• What are a firm's overall cyber security governance policies and systems?
• What are the technology, training and personnel, process, policy and procedural steps — including vulnerability gap assessments — that a business, government entity or institution needs to take to pass the test of reasonable prudence when it comes to protecting everything from networks and information, remote customer access and funds transfer requests to the security of the policies and systems of vendors and other third parties who have access to your network or sensitive information, particularly as they may relate to cyber security litigation?
• What are the readiness standards that companies must follow to ensure proper performance regarding meeting new SEC “voluntary suggestions'' or the FTC's more aggressive enforcement policies regarding adequate cyber security for customers' personally identifiable information?
• What constitutes “cyber negligence'' on the part of companies faced with cyber security threats?
• What determines whether companies have taken the necessary steps to assess vulnerabilities, prepare for and defend against cyber attack, and are these steps sufficient to cause cyber insurance carriers to pay cyber claims?
• What are the circumstances under which boards of directors or executive officers can be held liable or thrown out for failure to ensure corporate information systems are protected from attack?
• What constitutes proper and adequate cyber security governance and identification of risks, including proper practices for early warning monitoring in detecting unauthorized activity, how to protect such critical infrastructure as networks, software network resources and remote customer access, as well as funds transfer requests, among other thing?
• What are the proper cyber security roles and responsibilities inside each company, and how should companies determine whether they have the right people with the right training?
Today, cyber systemic risks are virtually unprecedented, crossing geographic boundaries and affecting multitudes of companies in a single event.
Litigation by companies seeking payment from their insurance policies for damages from cyber attacks, breaches and hacks soon may well account for 10% to 20% of all corporate insurance litigation and will be one of the three most litigated aspects of insurance law in the near term.
The time is now for the risk manager to help guide his or her company to take the necessary and prudent steps to protect against vast legal liabilities, especially with the SEC beginning to look at cyber security in the context of disclosure of material risks.
Attorney Daniel Garrie is co-head of the cyber security practice at Zeichner, Ellman & Krause L.L.P. law firm in New York and editor-in-chief of the Journal of Legal Technology Risk Management and the Journal of Law and Cyber Warfare. He can be reached at firstname.lastname@example.org and 212-223-0400, ext. 689.