68% of C-level executives now view IT risks as one of the top risks for their organization, while it was barely an issue just a few years ago. Executives, such as Target’s CEO, the Texas State Comptroller’s office, and the Utah State Department of Technology Service, to name a few, have lost their positions after massive data breaches. Moreover, Moody’s, the bond credit rating organization, recently stated that cyber risks are growing in importance in its credit rating activities. In its report “Cross Sector — Global: Cyber Risk of Growing Importance to Credit Analysis“, Moody’s outlines its plans for assessing cyber risks and their impact on credit analysis. Credit rating agency Standard & Poor’s, also announced that lenders might have their rating lowered if they fail to protect themselves from cyber-attacks or damaging breaches.
These developments have made it clear that cybersecurity poses new threats that must be addressed by the board of directors. By thoroughly understanding where risks can arise, the board of directors can provide strong corporate governance. It can utilize shareholder capital in a way that contributes to growth of the organization’s operations and value, benefitting the shareholders and the organization’s long-term performance. Here’s why:
1. Financial Implications.
a. Costs. It goes without saying that cybersecurity incidents and data breaches cause substantial expenses and losses. The average cost of a data breach in 2015 reached $3.79 million. This enormous sum usually includes costs from data breach notification expenses, forensic and regulatory investigations, regulatory fines, attorneys and consultants, PR professionals, and remedial measures.
b. Credit rating. As mentioned above, the cybersecurity risks to which a company is exposed and the security measures employed are now becoming a consideration for the organization’s credit ratings.
c. Stock value, liquidity and operational risks. After a breach, a company’s stock price is highly likely to drop, contributing to the organization’s financial losses
2. Operational disruption. Disruption can range from shutting down departments or servers due to DDOS attacks, to APT attacks and massive data breaches, such as Target and Sony, which can cripple operations and profits entirely.
3. Brand perception and reputation. A high profile data breach, such as T-Mobile, harms the brand’s name at best. It can destroy a business and its customer confidence as in the case of Target. Even the smallest security incident can negatively affect a company’s ability to compete effectively and harm customer and shareholder confidence.
4. Legal liability. Companies might face lawsuits from customers and shareholders for failing to comply with regulatory data safety and privacy requirements. Liabilities include neglecting to maintain proper internal controls or failure to take reasonable steps to maintain customers’ personal and financial information in a secure manner, as in the Target and Wyndham Worldwide Corporation cases, respectively. Class actions lawsuits have even been filed for failure to adhere to cybersecurity “best practices.”
5. Regulatory compliance. In addition to the need to comply with the regulatory framework for protecting personal information (the U.S. Court of Appeals for the Third Circuit affirmed the authority of the Federal Trade Commission to pursue enforcement actions against companies that fail to employ reasonable and appropriate cybersecurity measures for consumers’ sensitive personal information), as well as data security and usage, the board must be informed about new legislation in order to oversee compliance with cybersecurity policies. For example, this past September, the SEC brought its first case against a registered investment adviser alleging that its failure to establish required cybersecurity policies and procedures compromised the personal information of roughly 100,000 individuals.
6. Policies that go beyond IT. Corporate policies, such as “Bring Your Own Device” (BYOD), have implications that go beyond operations and the desire to increase accessibility and productivity. They can affect the degree of security to the organization’s sensitive information (e.g. a device that has access to the organization’s network gets stolen or hacked due to a malicious app on the personal device), and therefore, need to be assessed also on the board-level.
7. Set the tone in the organization. Boards need to assess the organization’s cybersecurity protection measures, raise awareness to innovative cybersecurity solutions, and take part in the efforts of building a strong culture of data security at all levels of the organization.
Even without going as far as the proposed Cybersecurity Disclosure Act of 2015 that would require publicly traded companies to disclose whether any member of their board of directors is a “cybersecurity expert,” lack of cybersecurity is a big risk to an organization’s viability and cannot be ignored by the board.
To meet their duty towards shareholders, the board must be involved in the organization’s cybersecurity activities on the same way as they are versed in the financial ones. Since cybersecurity measures are not a one-size-fits-all, companies and their boards must assess their cyber risk management based on their specific industry, product, internal processes and external vendors, and more.
In our next post, we will drill-down into practical steps on how to discuss cyber-risks with your board. Stay tuned!