There is no doubt that the costs of a cyber incident can be staggering, with first party breach response expenses, business interruption loss, and third party litigation all having a noticeable impact on the bottom line. In some cases, the fallout may affect a brand’s reputation, strain a company’s ability to serve customers, or prevent a nonprofit organization from effectively fulfilling its mission. Given the existential threat posed by cyber risks, the issue has gradually risen from solely an IT department problem to one that concerns top-level management. In recent years, there have been several high profile shareholder derivative lawsuits aimed at directors and officers of publically-traded companies following data breaches, often alleging a breach of fiduciary duty, negligence, or gross mismanagement. Boards of directors for private companies and nonprofits alike have a duty of care to their organizations, and individual directors and officers may be held personally liable for their failures, negligence, or inaction. In an era where the prevention of cyberattacks is virtually impossible, it is imperative that boards recognize their exposure to cyber risk and proactively take the steps to manage it.
Here are some of the major topics that boards should contemplate when assessing and addressing their organizations’ cyber risk:
1) Cyber Risk Assessment: Depending on the size of your organization and resources available, a security audit or cyber risk assessment can provide a clear outline of the most likely sources of cyber threats, identify vulnerabilities in your network, and provide recommendations to address these exposures from both technological and procedural standpoints.
2) Regulatory Environment: Boards should educate themselves on the types of information the organization typically handles; which state or federal laws may govern the collection, retention, use, or disposal of such data; and what the organization should be doing to comply with those laws from a best-practices standpoint.
3) Information Security Leadership: Whether it’s a chief information security officer, chief technology officer, or director of information technology, there should be one individual who is responsible for overseeing all cybersecurity operations, preferably with regular and direct communication with the board.
4) Incident Response Planning: In conjunction with the chief information security officer (or equivalent), the board should approve an enterprise-wide cyber incident response plan that contemplates a variety of incidents, including data breaches, system outages, denial of service attacks, and ransomware. The best incident response plans will outline specific roles and responsibilities in the event of a cyber incident, and will be reevaluated, updated, and practiced on a regular basis.
5) Culture of Security: Despite the sophistication of present-day technology, most successful data breaches and cyber incidents can ultimately be traced back to human error or carelessness. This highlights the need for boards to encourage a “culture of security” from the top down, educating all personnel on proper “cyber hygiene” and empowering employees to report suspicious emails or other threats as soon as they are identified.
6) Risk Retention and Transfer: While there are many ways to reduce the likelihood of a breach and even mitigate the impact of a cyber event, boards must also consider risk transfer as a financial backstop. Purchasing a dedicated cyber insurance policy not only provides protection from first party losses and third party liability but also offers access to a network of experienced claim specialists, forensic experts, and data privacy attorneys.
Reprinted with Permission by Philadelphia Insurance Company